[SR-Users] Kamailiio TLS and Let'sEncrypt certs

Alexey Vasilyev alexei.vasilyev at gmail.com
Sun Mar 29 12:54:23 CEST 2020 

Hi Igor,

Because these errors about verification of Microsoft certificate.
/etc/kamailio/tls/issuer.cer should contain certificate authorities list, which contains trusted root certificates.
For example, for CentOS7 /etc/ssl/certs/ca-bundle.crt

-----
Alexey Vasilyev
alexei.vasilyev at gmail.com



> 29 Mar 2020, в 11:36, Igor Olhovskiy <igorolhovskiy at gmail.com> написал(а):
> 
> Hi!
> 
> Actually I’m trying to get Kamailio to work as MS Teams SBC following by perfect article
> https://skalatan.de/en/blog/kamailio-sbc-teams <https://skalatan.de/en/blog/kamailio-sbc-teams>
> It works well, but one thing is bothering me.
> I’m using Let’sEncrypt certs (actually, works well), but with setting in tls.conf
> 
> verify_certificate = yes
> require_certificate = yes
> 
> It’s giving an errors like 
> 
> /usr/sbin/kamailio[4551]: ERROR: tls [tls_util.h:42]: tls_err_ret(): TLS write:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
> /usr/sbin/kamailio[4551]: ERROR: <core> [core/tcp_read.c:1505]: tcp_read_req(): ERROR: tcp_read_req: error reading - c: 0x7f03e6d23d88 r: 0x7f03e6d23e08 (-1)
> 
> They are resolved with setting these settings (verify/require) to off (actually, as mentioned here - https://www.fredposner.com/1836/kamailio-tls-and-letsencrypt/ <https://www.fredposner.com/1836/kamailio-tls-and-letsencrypt/>), but I’m really curious - why?
> 
> As I got, it’s using openssl verify on a background, but this check locally passed with 
> 
> openssl verify -CAfile issuer.crt myserver.crt
> myserver.crt: OK
> 
> So, is there any tricks to lets encrypt or just some misconfig in tls.cfg?
> 
> Now it looks like one from article
> 
> [server:default]
> method = TLSv1.2+
> verify_certificate = yes
> require_certificate = yes
> private_key = /etc/kamailio/tls/myserver.key
> certificate = /etc/kamailio/tls/myserver.crt
> ca_list = /etc/kamailio/tls/issuer.crt
> 
> [client:default]
> method = TLSv1.2+
> verify_certificate = yes
> require_certificate = yes
> private_key = /etc/kamailio/tls/myserver.key
> certificate = /etc/kamailio/tls/myserver.crt
> ca_list = /etc/kamailio/tls/issuer.crt
>> Regards, Igor
> 
> 
> 
> _______________________________________________
> Kamailio (SER) - Users Mailing List
> sr-users at lists.kamailio.org
> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20200329/82b251cb/attachment.html>

More information about the sr-users mailing list