Hi Igor,

Ran into the same issue previously, glad you figured it out as well.

In Debian for example:
ca_list = /etc/ssl/certs/ca-certificates.crt

BTW, alternatively, you could just deploy the Baltimore CA root cert that Microsoft uses instead of loading the full CA root list, if the SBC will be used solely for MS Direct Routing. From the MS docs:

Deploy Baltimore Trusted Root Certificate
Loading Baltimore Trusted Root Certificates is mandatory for implementing a TLS connection with the Microsoft Teams network.
The DNS name of the Teams Direct Routing interface is sip.pstnhub.microsoft.com.
In this interface, a certificate is presented which is signed by Baltimore Cyber Baltimore CyberTrust Root with Serial Number: 02 00 00 b9 and SHA fingerprint: d4:de:20:d0:5e:66:fc: 53:fe:1a:50:88:2c:78:db:28:52:ca:e4:74.
To trust this certificate, your SBC must have the certificate in Trusted Certificates storage. Download the certificate from https://cacert.omniroot.com/bc2025.pem and follow the steps above to import the certificate to the Trusted Root storage.  

Cheers,
--Sergiu



On Sun, Mar 29, 2020 at 10:14 AM Igor Olhovskiy <igorolhovskiy@gmail.com> wrote:

Thanks! That did the trick (Debian 10)


[server:default]
method = TLSv1.2+
verify_certificate = yes
require_certificate = yes
private_key = /etc/kamailio/tls/myserver.key
certificate = /etc/kamailio/tls/myserver.crt
# Points to your root CA list
ca_list = /etc/ssl/certs/ca-certificates.crt

[client:default]
method = TLSv1.2+
verify_certificate = yes
require_certificate = yes
private_key = /etc/kamailio/tls/myserver.key
certificate = /etc/kamailio/tls/myserver.crt
ca_list = /etc/kamailio/tls/issuer.crt

Now takes longer to reload TLS config and need to increase PKG/SHM size to process full list, but it's ok )

On 29.03.2020 13:54, Alexey Vasilyev wrote:
Hi Igor,

Because these errors about verification of Microsoft certificate.
/etc/kamailio/tls/issuer.cer should contain certificate authorities list, which contains trusted root certificates.
For example, for CentOS7 /etc/ssl/certs/ca-bundle.crt

-----
Alexey Vasilyev



29 Mar 2020, в 11:36, Igor Olhovskiy <igorolhovskiy@gmail.com> написал(а):

Hi!

Actually I’m trying to get Kamailio to work as MS Teams SBC following by perfect article
It works well, but one thing is bothering me.
I’m using Let’sEncrypt certs (actually, works well), but with setting in tls.conf

verify_certificate = yes
require_certificate = yes

It’s giving an errors like 

/usr/sbin/kamailio[4551]: ERROR: tls [tls_util.h:42]: tls_err_ret(): TLS write:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
/usr/sbin/kamailio[4551]: ERROR: <core> [core/tcp_read.c:1505]: tcp_read_req(): ERROR: tcp_read_req: error reading - c: 0x7f03e6d23d88 r: 0x7f03e6d23e08 (-1)

They are resolved with setting these settings (verify/require) to off (actually, as mentioned here - https://www.fredposner.com/1836/kamailio-tls-and-letsencrypt/), but I’m really curious - why?

As I got, it’s using openssl verify on a background, but this check locally passed with 

openssl verify -CAfile issuer.crt myserver.crt
myserver.crt: OK

So, is there any tricks to lets encrypt or just some misconfig in tls.cfg?

Now it looks like one from article

[server:default]
method = TLSv1.2+
verify_certificate = yes
require_certificate = yes
private_key = /etc/kamailio/tls/myserver.key
certificate = /etc/kamailio/tls/myserver.crt
ca_list = /etc/kamailio/tls/issuer.crt

[client:default]
method = TLSv1.2+
verify_certificate = yes
require_certificate = yes
private_key = /etc/kamailio/tls/myserver.key
certificate = /etc/kamailio/tls/myserver.crt
ca_list = /etc/kamailio/tls/issuer.crt
Regards, Igor



_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users@lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users


_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users@lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users

-- 
Regards, Igor
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users@lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users