Actually. Careful. There are scenarios where just doing that will not work.

The RR headers will have your FQDN most likely if you don’t want to break reinvites

So for that to work you will need either multiple certs, a wildcard cert, or a cert with multiple SANs where you include the “pbx.example.com” and “ Kamailio1.example.com” etc.

If you want you can check this issue:

https://github.com/kamailio/kamailio/issues/1581

It’s not related to your question directly but it explains why I’m telling you this.

Hope it helps.

Best regards, Joel.

On Tue, Oct 2, 2018 at 12:09 Sergey Basov sergey.v.basov@gmail.com wrote:

Hi Kevin

You need TLS certificate for domain which you will setup on SIP clients to connect to.

So if your SIP domain is pbx.example.com and you will provide DNS-SRV record for it - then you need TLS certificate for pbx.example.com -- Best regards, Sergey Basov e-mail: sergey.v.basov@gmail.com

вт, 2 окт. 2018 г. в 12:44, Kevin Olbrich ko@sv01.de:

...

Hi!

Which hostname do I need to request for the certificate when the servers are load-balanced using DNS-SRV? Do I need to get the cert for the DNS-SRV subdomain (without _sip._tls) or for the servers, eg. server0{1,2,3}.pbx.example.com ?

Thank you!

Kevin

---

Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users

---

Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users