[SR-Users] TLS verification error LetsEncrypt

Bugaian A. Vitalie bugaian at gmail.com
Fri Jan 24 15:30:40 CET 2020


Ok, thank you.

Looks like problem solved. I just pointed same config certificates for
client too and setting it on yes yes worked.

Thanks.

Vitalie.

On Fri, Jan 24, 2020 at 3:07 PM Social Boh <social at bohboh.info> wrote:

> I'm not sure but with let's encrypt you can create only server
> certificate, not client certificate so you can't require and verify client
> certificate.
>
> Regards
>
> ---
> I'm SoCIaL, MayBe
>
> El 24/01/2020 a las 09:01, Bugaian A. Vitalie escribió:
>
> Ok, thanks.
>
> But my question is still about why verification fails/or what should be
> chked to make it work. Not how to disable it.
>
> Thanks.
>
> Vitalie.
>
> On Fri, Jan 24, 2020 at 2:54 PM Social Boh <social at bohboh.info> wrote:
>
>> Hello,
>>
>> changing:
>>
>> [client:default]
>> #method = TLSv1.2+
>> verify_certificate = yes
>> require_certificate = yes
>>
>> with
>>
>> [client:default]
>> #method = TLSv1.2+
>> verify_certificate = no
>> require_certificate = no
>>
>> ---
>> I'm SoCIaL, MayBe
>>
>> El 24/01/2020 a las 08:46, Bugaian A. Vitalie escribió:
>>
>> Hello list,
>>
>> I have tried to setup my tls config tish LetsEncrypt following this post:
>>
>> https://www.fredposner.com/1836/kamailio-tls-and-letsencrypt/
>>
>> My tls config looks like this:
>>
>>
>> [server:default]
>> method = TLSv1.2+
>> verify_certificate = no
>> require_certificate = no
>> private_key = /etc/letsencrypt/live/sbc.example.net-0001/privkey.pem
>> certificate = /etc/letsencrypt/live/sbc.example.net-0001/fullchain.pem
>> ca_list = /etc/letsencrypt/live/sbc.example.net-0001/ca_list.pem
>> #ca_list = /usr/local/etc/kamailio/tls/cacert.pem
>> #crl = /usr/local/etc/kamailio/tls/crl.pem
>> server_name = sbc.example.net
>> server_id = sbc.example.net
>>
>> #ca_list = /usr/local/etc/fullchain.pem
>> #ca_list = /usr/local/etc/kamailio/tls/cacert.pem
>> #crl = /usr/local/etc/kamailio/tls/crl.pem
>>
>>
>> # ---
>> # This is the default client domain profile.
>> # Settings in this domain will be used for all outgoing
>> # TLS connections that do not match any other
>> # client domain in this configuration file.
>> # We require that servers present valid certificate.
>> #
>> [client:default]
>> #method = TLSv1.2+
>> verify_certificate = yes
>> require_certificate = yes
>>
>> ===================================
>> My ca_list has all certificates from
>> cat /etc/ssl/certs/ca-certificates.crt >> /etc/letsencrypt/live/
>> sbcc.example.net/ca_list.pem
>>
>> I keep getting certificate validation failed see bellow:
>>
>> an 24 08:39:56 sbc.example.net /usr/local/sbin/kamailio[6371]: ERROR:
>> tls [tls_util.h:42]: tls_err_ret(): TLS write:error:1416F086:SSL
>> routines:tls_process_server_certificate:certificate verify failed
>> Jan 24 08:39:56 sbc.example.net /usr/local/sbin/kamailio[6371]: ERROR:
>> <core> [core/tcp_read.c:1505]: tcp_read_req(): ERROR: tcp_read_req: error
>> reading - c: 0x7f0474421f68 r: 0x7f0474422028 (-1)
>> Jan 24 08:39:56 sbc.example.net /usr/local/sbin/kamailio[6370]: ERROR:
>> tls [tls_util.h:42]: tls_err_ret(): TLS write:error:1416F086:SSL
>> routines:tls_process_server_certificate:certificate verify failed
>> Jan 24 08:39:56 sbc.example.net /usr/local/sbin/kamailio[6370]: ERROR:
>> <core> [core/tcp_read.c:1505]: tcp_read_req(): ERROR: tcp_read_req: error
>> reading - c: 0x7f0474401cb8 r: 0x7f0474401d78 (-1)
>>
>> =====================
>>
>> What params should I change or where to look for a solution on this one?
>>
>> Thanks.
>>
>> Vitalie A. Bugaian.
>>
>> _______________________________________________
>> Kamailio (SER) - Users Mailing Listsr-users at lists.kamailio.orghttps://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20200124/582c68af/attachment.html>


More information about the sr-users mailing list