I found that my TLS client was not happy because my server cert is signed by an intermediate root.
A quick search in Google found other people mentioning the same problem, but no solution or documentation.
I've had a quick look in the Kamailio source and I notice it is using the call:
SSL_CTX_use_certificate_chain_file
to load the certificate specified in tls.cfg with
certificate=myserver.pem
In practice, this means the intermediate certificates can be appended to myserver.pem and Kamailio will present them to the TLS client:
Example:
Trust heirarchy:
trusted root - inter 1 - inter 2 - server.example.com.pem
Construct the PEM file in this exact order:
cat server.example.com.pem > chain-server.example.com.pem cat inter2.pem >> chain-server.example.com.pem cat inter1.pem >> chain-server.example.com.pem
and then, in tls.cfg:
certificate=chain-server.example.com.pem