More info in the docs: https://kamailio.org/docs/modules/stable/modules/tls.html

On Thu, Nov 21, 2024 at 9:42 AM Joel Serrano <joel@textplus.com> wrote:
Make sure you are using a config FILE for the TLS-config, and not setting the params directly in the KAMAILIO-CONFIG-FILE.

Specifically this:


$ cat tls.cfg
#
# Kamailio TLS Configuration File
#

# This is the default server domain, settings
# in this domain will be used for all incoming
# connections that do not match any other server
# domain in this configuration file.
#

[server:default]
method = TLSv1+
private_key = ...
certificate = ...
ca_list = ...
...
...



And then in kamailio.cfg:

modparam("tls", "config", "/etc/kamailio/tls.cfg")



Then you should be able to do `tls.reload` ...

Do no set the certificate config inside the kamailio.cfg config, that's the bottom line.

Joel.

On Wed, Nov 20, 2024 at 11:47 AM Sergiu Pojoga via sr-users <sr-users@lists.kamailio.org> wrote:
Looks like a cert file permissions issue.

On Wed, Nov 20, 2024 at 1:35 PM Yuriy Nasida via sr-users <sr-users@lists.kamailio.org> wrote:
Hello,

I am using letsencrypt cert and key and do not want to restart kamailio every 3 months to load new ones.
I know that there is: kamcmd tls.reload method  but it has an error for me.
error: 500 - Error while fixing TLS configuration (consult server log)

I am checking  the logs and see:

kamailio[3865480]: INFO: tls [tls_domain.c:345]: ksr_tls_fill_missing(): TLSs<default>: tls_method=3
kamailio[3865480]: INFO: tls [tls_domain.c:357]: ksr_tls_fill_missing(): TLSs<default>: certificate='/etc/kamailio/certs/my_cert.crt'
kamailio[3865480]: INFO: tls [tls_domain.c:364]: ksr_tls_fill_missing(): TLSs<default>: ca_list='(null)'
kamailio[3865480]: INFO: tls [tls_domain.c:371]: ksr_tls_fill_missing(): TLSs<default>: ca_path='(null)'
kamailio[3865480]: INFO: tls [tls_domain.c:378]: ksr_tls_fill_missing(): TLSs<default>: crl='(null)'
kamailio[3865480]: INFO: tls [tls_domain.c:382]: ksr_tls_fill_missing(): TLSs<default>: require_certificate=0
kamailio[3865480]: INFO: tls [tls_domain.c:390]: ksr_tls_fill_missing(): TLSs<default>: cipher_list='(null)'
kamailio[3865480]: INFO: tls [tls_domain.c:397]: ksr_tls_fill_missing(): TLSs<default>: private_key='/etc/kamailio/certs/private.key'
kamailio[3865480]: INFO: tls [tls_domain.c:401]: ksr_tls_fill_missing(): TLSs<default>: verify_certificate=0
kamailio[3865480]: INFO: tls [tls_domain.c:406]: ksr_tls_fill_missing(): TLSs<default>: verify_depth=9
kamailio[3865480]: INFO: tls [tls_domain.c:410]: ksr_tls_fill_missing(): TLSs<default>: verify_client=0
kamailio[3865480]: NOTICE: tls [tls_domain.c:1168]: ksr_tls_fix_domain(): registered server_name callback handler for socket [:0], server_name='<default>' ...
kamailio[3865480]: ERROR: tls [tls_domain.c:590]: load_cert(): TLSs<default>: Unable to load certificate file '/etc/kamailio/certs/my_cert.crt'
kamailio[3865480]: ERROR: tls [tls_util.h:49]: tls_err_ret(): load_cert:error:03000072:digital envelope routines::decode error (sni: unknown)
kamailio[3865480]: ERROR: tls [tls_util.h:49]: tls_err_ret(): load_cert:error:0A00018F:SSL routines::ee key too small (sni: unknown)

Any advice ?

It's interesting that there are not any errors in case I restart kamailio. I can make TLS calls without problems.

deb 12.5
version: kamailio 5.7.4 (x86_64/linux)

__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions -- sr-users@lists.kamailio.org
To unsubscribe send an email to sr-users-leave@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender!
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions -- sr-users@lists.kamailio.org
To unsubscribe send an email to sr-users-leave@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender!