[SR-Users] TLS verification error LetsEncrypt
Social Boh
social at bohboh.info
Fri Jan 24 15:06:50 CET 2020
I'm not sure but with let's encrypt you can create only server
certificate, not client certificate so you can't require and verify
client certificate.
Regards
---
I'm SoCIaL, MayBe
El 24/01/2020 a las 09:01, Bugaian A. Vitalie escribió:
> Ok, thanks.
>
> But my question is still about why verification fails/or what should
> be chked to make it work. Not how to disable it.
>
> Thanks.
>
> Vitalie.
>
> On Fri, Jan 24, 2020 at 2:54 PM Social Boh <social at bohboh.info
> <mailto:social at bohboh.info>> wrote:
>
> Hello,
>
> changing:
>
> [client:default]
> #method = TLSv1.2+
> verify_certificate = yes
>
> require_certificate = yes
>
> with
>
> [client:default]
> #method = TLSv1.2+
> verify_certificate = no
> require_certificate = no
>
> ---
> I'm SoCIaL, MayBe
>
> El 24/01/2020 a las 08:46, Bugaian A. Vitalie escribió:
>> Hello list,
>>
>> I have tried to setup my tls config tish LetsEncrypt following
>> this post:
>>
>> https://www.fredposner.com/1836/kamailio-tls-and-letsencrypt/
>>
>> My tls config looks like this:
>>
>>
>> [server:default]
>> method = TLSv1.2+
>> verify_certificate = no
>> require_certificate = no
>> private_key = /etc/letsencrypt/live/sbc.example.net-0001/privkey.pem
>> certificate =
>> /etc/letsencrypt/live/sbc.example.net-0001/fullchain.pem
>> ca_list = /etc/letsencrypt/live/sbc.example.net-0001/ca_list.pem
>> #ca_list = /usr/local/etc/kamailio/tls/cacert.pem
>> #crl = /usr/local/etc/kamailio/tls/crl.pem
>> server_name = sbc.example.net <http://sbc.example.net>
>> server_id = sbc.example.net <http://sbc.example.net>
>>
>> #ca_list = /usr/local/etc/fullchain.pem
>> #ca_list = /usr/local/etc/kamailio/tls/cacert.pem
>> #crl = /usr/local/etc/kamailio/tls/crl.pem
>>
>>
>> # ---
>> # This is the default client domain profile.
>> # Settings in this domain will be used for all outgoing
>> # TLS connections that do not match any other
>> # client domain in this configuration file.
>> # We require that servers present valid certificate.
>> #
>> [client:default]
>> #method = TLSv1.2+
>> verify_certificate = yes
>> require_certificate = yes
>>
>> ===================================
>> My ca_list has all certificates from
>> cat /etc/ssl/certs/ca-certificates.crt >>
>> /etc/letsencrypt/live/sbcc.example.net/ca_list.pem
>> <http://sbcc.example.net/ca_list.pem>
>>
>> I keep getting certificate validation failed see bellow:
>>
>> an 24 08:39:56 sbc.example.net <http://sbc.example.net>
>> /usr/local/sbin/kamailio[6371]: ERROR: tls [tls_util.h:42]:
>> tls_err_ret(): TLS write:error:1416F086:SSL
>> routines:tls_process_server_certificate:certificate verify failed
>> Jan 24 08:39:56 sbc.example.net <http://sbc.example.net>
>> /usr/local/sbin/kamailio[6371]: ERROR: <core>
>> [core/tcp_read.c:1505]: tcp_read_req(): ERROR: tcp_read_req:
>> error reading - c: 0x7f0474421f68 r: 0x7f0474422028 (-1)
>> Jan 24 08:39:56 sbc.example.net <http://sbc.example.net>
>> /usr/local/sbin/kamailio[6370]: ERROR: tls [tls_util.h:42]:
>> tls_err_ret(): TLS write:error:1416F086:SSL
>> routines:tls_process_server_certificate:certificate verify failed
>> Jan 24 08:39:56 sbc.example.net <http://sbc.example.net>
>> /usr/local/sbin/kamailio[6370]: ERROR: <core>
>> [core/tcp_read.c:1505]: tcp_read_req(): ERROR: tcp_read_req:
>> error reading - c: 0x7f0474401cb8 r: 0x7f0474401d78 (-1)
>>
>> =====================
>>
>> What params should I change or where to look for a solution on
>> this one?
>>
>> Thanks.
>>
>> Vitalie A. Bugaian.
>>
>> _______________________________________________
>> Kamailio (SER) - Users Mailing List
>> sr-users at lists.kamailio.org <mailto:sr-users at lists.kamailio.org>
>> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20200124/5b3370c7/attachment.html>
More information about the sr-users
mailing list