[SR-Users] Kamailiio TLS and Let'sEncrypt certs
Igor Olhovskiy
igorolhovskiy at gmail.com
Sun Mar 29 16:13:02 CEST 2020
Thanks! That did the trick (Debian 10)
[server:default]
method = TLSv1.2+
verify_certificate = yes
require_certificate = yes
private_key = /etc/kamailio/tls/myserver.key
certificate = /etc/kamailio/tls/myserver.crt
# Points to your root CA list
ca_list = /etc/ssl/certs/ca-certificates.crt
[client:default]
method = TLSv1.2+
verify_certificate = yes
require_certificate = yes
private_key = /etc/kamailio/tls/myserver.key
certificate = /etc/kamailio/tls/myserver.crt
ca_list = /etc/kamailio/tls/issuer.crt
Now takes longer to reload TLS config and need to increase PKG/SHM size
to process full list, but it's ok )
On 29.03.2020 13:54, Alexey Vasilyev wrote:
> Hi Igor,
>
> Because these errors about verification of Microsoft certificate.
> /etc/kamailio/tls/issuer.cer should contain certificate authorities
> list, which contains trusted root certificates.
> For example, for CentOS7 /etc/ssl/certs/ca-bundle.crt
>
> -----
> Alexey Vasilyev
> alexei.vasilyev at gmail.com <mailto:alexei.vasilyev at gmail.com>
>
>
>
>> 29 Mar 2020, в 11:36, Igor Olhovskiy <igorolhovskiy at gmail.com
>> <mailto:igorolhovskiy at gmail.com>> написал(а):
>>
>> Hi!
>>
>> Actually I’m trying to get Kamailio to work as MS Teams SBC following
>> by perfect article
>> https://skalatan.de/en/blog/kamailio-sbc-teams
>> It works well, but one thing is bothering me.
>> I’m using Let’sEncrypt certs (actually, works well), but with setting
>> in *tls.conf*
>>
>> verify_certificate = yes
>> require_certificate = yes
>>
>> It’s giving an errors like
>>
>> /usr/sbin/kamailio[4551]: ERROR: tls [tls_util.h:42]: tls_err_ret():
>> TLS write:error:1416F086:SSL
>> routines:tls_process_server_certificate:certificate verify failed
>> /usr/sbin/kamailio[4551]: ERROR: <core> [core/tcp_read.c:1505]:
>> tcp_read_req(): ERROR: tcp_read_req: error reading - c:
>> 0x7f03e6d23d88 r: 0x7f03e6d23e08 (-1)
>>
>> They are resolved with setting these settings (verify/require) to off
>> (actually, as mentioned here -
>> https://www.fredposner.com/1836/kamailio-tls-and-letsencrypt/), but
>> I’m really curious - why?
>>
>> As I got, it’s using *openssl verify* on a background, but this check
>> locally passed with
>>
>> openssl verify -CAfile issuer.crt myserver.crt
>> myserver.crt: OK
>>
>> So, is there any tricks to lets encrypt or just some misconfig in
>> *tls.cfg*?
>>
>> Now it looks like one from article
>>
>> [server:default]
>> method = TLSv1.2+
>> verify_certificate = yes
>> require_certificate = yes
>> private_key = /etc/kamailio/tls/myserver.key
>> certificate = /etc/kamailio/tls/myserver.crt
>> ca_list = /etc/kamailio/tls/issuer.crt
>>
>> [client:default]
>> method = TLSv1.2+
>> verify_certificate = yes
>> require_certificate = yes
>> private_key = /etc/kamailio/tls/myserver.key
>> certificate = /etc/kamailio/tls/myserver.crt
>> ca_list = /etc/kamailio/tls/issuer.crt
>> —
>> Regards, Igor
>>
>>
>>
>> _______________________________________________
>> Kamailio (SER) - Users Mailing List
>> sr-users at lists.kamailio.org <mailto:sr-users at lists.kamailio.org>
>> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>
>
> _______________________________________________
> Kamailio (SER) - Users Mailing List
> sr-users at lists.kamailio.org
> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
--
Regards, Igor
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20200329/b127965f/attachment.html>
More information about the sr-users
mailing list