Hi Igor,
Ran into the same issue previously, glad you figured it out as well.
In Debian for example:
ca_list = /etc/ssl/certs/ca-certificates.crt
BTW, alternatively, you could just deploy the Baltimore CA root cert that
Microsoft uses instead of loading the full CA root list, if the SBC will be
used solely for MS Direct Routing. From the MS docs:
*Deploy Baltimore Trusted Root Certificate*
Loading Baltimore Trusted Root Certificates is mandatory for implementing a
TLS connection with the Microsoft Teams network.
The DNS name of the Teams Direct Routing interface is
sip.pstnhub.microsoft.com.
In this interface, a certificate is presented which is signed by Baltimore
Cyber Baltimore CyberTrust Root with Serial Number: 02 00 00 b9 and SHA
fingerprint: d4:de:20:d0:5e:66:fc: 53:fe:1a:50:88:2c:78:db:28:52:ca:e4:74.
To trust this certificate, your SBC must have the certificate in Trusted
Certificates storage. Download the certificate from
https://cacert.omniroot.com/bc2025.pem and follow the steps above to import
the certificate to the Trusted Root storage.
Cheers,
--Sergiu
On Sun, Mar 29, 2020 at 10:14 AM Igor Olhovskiy <igorolhovskiy(a)gmail.com>
wrote:
Thanks! That did the trick (Debian 10)
[server:default]
method = TLSv1.2+
verify_certificate = yes
require_certificate = yes
private_key = /etc/kamailio/tls/myserver.key
certificate = /etc/kamailio/tls/myserver.crt
# Points to your root CA list
ca_list = /etc/ssl/certs/ca-certificates.crt
[client:default]
method = TLSv1.2+
verify_certificate = yes
require_certificate = yes
private_key = /etc/kamailio/tls/myserver.key
certificate = /etc/kamailio/tls/myserver.crt
ca_list = /etc/kamailio/tls/issuer.crt
Now takes longer to reload TLS config and need to increase PKG/SHM size to
process full list, but it's ok )
On 29.03.2020 13:54, Alexey Vasilyev wrote:
Hi Igor,
Because these errors about verification of Microsoft certificate.
/etc/kamailio/tls/issuer.cer should contain certificate authorities list,
which contains trusted root certificates.
For example, for CentOS7 /etc/ssl/certs/ca-bundle.crt
-----
Alexey Vasilyev
alexei.vasilyev(a)gmail.com
29 Mar 2020, в 11:36, Igor Olhovskiy <igorolhovskiy(a)gmail.com> написал(а):
Hi!
Actually I’m trying to get Kamailio to work as MS Teams SBC following by
perfect article
https://skalatan.de/en/blog/kamailio-sbc-teams
It works well, but one thing is bothering me.
I’m using Let’sEncrypt certs (actually, works well), but with setting in
*tls.conf*
verify_certificate = yes
require_certificate = yes
It’s giving an errors like
/usr/sbin/kamailio[4551]: ERROR: tls [tls_util.h:42]: tls_err_ret(): TLS
write:error:1416F086:SSL
routines:tls_process_server_certificate:certificate verify failed
/usr/sbin/kamailio[4551]: ERROR: <core> [core/tcp_read.c:1505]:
tcp_read_req(): ERROR: tcp_read_req: error reading - c: 0x7f03e6d23d88 r:
0x7f03e6d23e08 (-1)
They are resolved with setting these settings (verify/require) to off
(actually, as mentioned here -
https://www.fredposner.com/1836/kamailio-tls-and-letsencrypt/), but I’m
really curious - why?
As I got, it’s using *openssl verify* on a background, but this check
locally passed with
openssl verify -CAfile issuer.crt myserver.crt
myserver.crt: OK
So, is there any tricks to lets encrypt or just some misconfig in
*tls.cfg*?
Now it looks like one from article
[server:default]
method = TLSv1.2+
verify_certificate = yes
require_certificate = yes
private_key = /etc/kamailio/tls/myserver.key
certificate = /etc/kamailio/tls/myserver.crt
ca_list = /etc/kamailio/tls/issuer.crt
[client:default]
method = TLSv1.2+
verify_certificate = yes
require_certificate = yes
private_key = /etc/kamailio/tls/myserver.key
certificate = /etc/kamailio/tls/myserver.crt
ca_list = /etc/kamailio/tls/issuer.crt
—
Regards, Igor
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users(a)lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
_______________________________________________
Kamailio (SER) - Users Mailing
Listsr-users@lists.kamailio.orghttps://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
--
Regards, Igor
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users(a)lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users