Hello Kamailio Community,
I’ve been troubleshooting an issue with Kamailio where the TLS listener fails to bind to any specified ports (5061, 10061, etc.), despite valid configurations and certificates. Here’s a summary of my setup and steps taken:
1.
*Environment Details*: -
Kamailio version: 5.7.4 -
OpenSSL version: 3.0.13 -
Operating System: Ubuntu (Noble Release) -
TLS module (tls.so) is installed and loaded. 2.
*Issue Details*: -
Configurations validate successfully (config file ok). -
OpenSSL works perfectly when testing certificates and keys with s_server, binding to ports (5061 and others). -
Kamailio fails to bind TLS listeners (ss -tulnp shows no activity on the specified ports). 3.
*Steps Already Taken*: -
Simplified TLS configuration (minimal_tls.cfg) with: plaintext
listen=tls:10.14.202.39:5061 loadmodule "tls.so" modparam("tls", "certificate", "/home/localtech/vicissl/868a963bc33d5eae.crt") modparam("tls", "private_key", "/home/localtech/vicissl/private.key")
-
Tested multiple ports (5061, 10061, 15061). -
Checked firewall settings (iptables) and confirmed no restrictions. -
Rebuilt Kamailio from source and ensured TLS modules are linked to OpenSSL. -
Ran Kamailio with maximum debugging (-ddd) to examine logs—no binding-related errors appeared. 4.
*Log Excerpts*: (Attach relevant logs showing TLS initialization or lack of binding activity.) 5.
*Question*: What additional steps or configurations should I explore to resolve this issue? Could this be a compatibility problem between Kamailio 5.7.4 and OpenSSL 3.0.13?
Any guidance or insights would be greatly appreciated!
Best regards, Steven Muchwe Njoroge
Hi Steven
I have not observed that issue on any of my installs it always worked more or less out of the box (after some fiddling because initially Let's encrypts CA cert was missing in the system cert list). Replace path and ip addresses with whatever you use and make sure the permissions are right.
I use the full chain as certificate. Client mode with validation needs access to the root certs and needs to contain the CA which issued the remote certificate.
listen = tls:[x:x:x:x:x:x:x:x]:5061 listen = tls:x.x.x.x:5061
[server:default] method = TLSv1.2+ verify_certificate = no require_certificate = no private_key = /[letsencrypt-store]/[domain]/privkey.pem certificate = /[letsencrypt-store]/[domain]/fullchain.pem
[client:default] #method = TLSv1.2+ verify_certificate = yes require_certificate = yes private_key = /[letsencrypt-store]/[domain]/privkey.pem certificate = /[letsencrypt-store]/[domain]/fullchain.pem ca_list = /etc/ssl/certs/ca-certificates.crt
does netstat -anp (assuming linux) show port 5061 listening?
Mit freundlichen Grüssen
-Benoît Panizzon-
Can you provide the actual error when trying to bind? Increase debug
Regards,
David Villasmil
email: david.villasmil.work@gmail.com
On Mon, Apr 28, 2025 at 9:26 AM Benoit Panizzon via sr-users < sr-users@lists.kamailio.org> wrote:
Hi Steven
I have not observed that issue on any of my installs it always worked more or less out of the box (after some fiddling because initially Let's encrypts CA cert was missing in the system cert list). Replace path and ip addresses with whatever you use and make sure the permissions are right.
I use the full chain as certificate. Client mode with validation needs access to the root certs and needs to contain the CA which issued the remote certificate.
listen = tls:[x:x:x:x:x:x:x:x]:5061 listen = tls:x.x.x.x:5061
[server:default] method = TLSv1.2+ verify_certificate = no require_certificate = no private_key = /[letsencrypt-store]/[domain]/privkey.pem certificate = /[letsencrypt-store]/[domain]/fullchain.pem
[client:default] #method = TLSv1.2+ verify_certificate = yes require_certificate = yes private_key = /[letsencrypt-store]/[domain]/privkey.pem certificate = /[letsencrypt-store]/[domain]/fullchain.pem ca_list = /etc/ssl/certs/ca-certificates.crt
does netstat -anp (assuming linux) show port 5061 listening?
Mit freundlichen Grüssen
-Benoît Panizzon-
I m p r o W a r e A G - Leiter Commerce Kunden ______________________________________________________
Zurlindenstrasse 29 https://www.google.com/maps/search/Zurlindenstrasse+29?entry=gmail&source=g Tel +41 61 826 93 00 CH-4133 Pratteln Fax +41 61 826 93 01 Schweiz Web http://www.imp.ch ______________________________________________________ __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions -- sr-users@lists.kamailio.org To unsubscribe send an email to sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender!
-
Benoit Panizzon -
David Villasmil -
steven.muchwe