Hi Igor,
Ran into the same issue previously, glad you figured it out as well.
In Debian for example: ca_list = /etc/ssl/certs/ca-certificates.crt
BTW, alternatively, you could just deploy the Baltimore CA root cert that Microsoft uses instead of loading the full CA root list, if the SBC will be used solely for MS Direct Routing. From the MS docs:
*Deploy Baltimore Trusted Root Certificate* Loading Baltimore Trusted Root Certificates is mandatory for implementing a TLS connection with the Microsoft Teams network. The DNS name of the Teams Direct Routing interface is sip.pstnhub.microsoft.com. In this interface, a certificate is presented which is signed by Baltimore Cyber Baltimore CyberTrust Root with Serial Number: 02 00 00 b9 and SHA fingerprint: d4:de:20:d0:5e:66:fc: 53:fe:1a:50:88:2c:78:db:28:52:ca:e4:74. To trust this certificate, your SBC must have the certificate in Trusted Certificates storage. Download the certificate from https://cacert.omniroot.com/bc2025.pem and follow the steps above to import the certificate to the Trusted Root storage.
Cheers, --Sergiu
On Sun, Mar 29, 2020 at 10:14 AM Igor Olhovskiy igorolhovskiy@gmail.com wrote:
Thanks! That did the trick (Debian 10)
[server:default] method = TLSv1.2+ verify_certificate = yes require_certificate = yes private_key = /etc/kamailio/tls/myserver.key certificate = /etc/kamailio/tls/myserver.crt # Points to your root CA list ca_list = /etc/ssl/certs/ca-certificates.crt
[client:default] method = TLSv1.2+ verify_certificate = yes require_certificate = yes private_key = /etc/kamailio/tls/myserver.key certificate = /etc/kamailio/tls/myserver.crt ca_list = /etc/kamailio/tls/issuer.crt
Now takes longer to reload TLS config and need to increase PKG/SHM size to process full list, but it's ok )
On 29.03.2020 13:54, Alexey Vasilyev wrote:
Hi Igor,
Because these errors about verification of Microsoft certificate. /etc/kamailio/tls/issuer.cer should contain certificate authorities list, which contains trusted root certificates. For example, for CentOS7 /etc/ssl/certs/ca-bundle.crt
Alexey Vasilyev alexei.vasilyev@gmail.com
29 Mar 2020, в 11:36, Igor Olhovskiy igorolhovskiy@gmail.com написал(а):
Hi!
Actually I’m trying to get Kamailio to work as MS Teams SBC following by perfect article https://skalatan.de/en/blog/kamailio-sbc-teams It works well, but one thing is bothering me. I’m using Let’sEncrypt certs (actually, works well), but with setting in *tls.conf*
verify_certificate = yes require_certificate = yes
It’s giving an errors like
/usr/sbin/kamailio[4551]: ERROR: tls [tls_util.h:42]: tls_err_ret(): TLS write:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed /usr/sbin/kamailio[4551]: ERROR: <core> [core/tcp_read.c:1505]: tcp_read_req(): ERROR: tcp_read_req: error reading - c: 0x7f03e6d23d88 r: 0x7f03e6d23e08 (-1)
They are resolved with setting these settings (verify/require) to off (actually, as mentioned here - https://www.fredposner.com/1836/kamailio-tls-and-letsencrypt/), but I’m really curious - why?
As I got, it’s using *openssl verify* on a background, but this check locally passed with
openssl verify -CAfile issuer.crt myserver.crt myserver.crt: OK
So, is there any tricks to lets encrypt or just some misconfig in *tls.cfg*?
Now it looks like one from article
[server:default] method = TLSv1.2+ verify_certificate = yes require_certificate = yes private_key = /etc/kamailio/tls/myserver.key certificate = /etc/kamailio/tls/myserver.crt ca_list = /etc/kamailio/tls/issuer.crt
[client:default] method = TLSv1.2+ verify_certificate = yes require_certificate = yes private_key = /etc/kamailio/tls/myserver.key certificate = /etc/kamailio/tls/myserver.crt ca_list = /etc/kamailio/tls/issuer.crt — Regards, Igor
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Kamailio (SER) - Users Mailing Listsr-users@lists.kamailio.orghttps://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
-- Regards, Igor
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users