[SR-Users] Kamailiio TLS and Let'sEncrypt certs

Sergiu Pojoga pojogas at gmail.com
Sun Mar 29 17:56:26 CEST 2020


Hi Igor,

Ran into the same issue previously, glad you figured it out as well.

In Debian for example:
ca_list = /etc/ssl/certs/ca-certificates.crt

BTW, alternatively, you could just deploy the Baltimore CA root cert that
Microsoft uses instead of loading the full CA root list, if the SBC will be
used solely for MS Direct Routing. From the MS docs:

*Deploy Baltimore Trusted Root Certificate*
Loading Baltimore Trusted Root Certificates is mandatory for implementing a
TLS connection with the Microsoft Teams network.
The DNS name of the Teams Direct Routing interface is
sip.pstnhub.microsoft.com.
In this interface, a certificate is presented which is signed by Baltimore
Cyber Baltimore CyberTrust Root with Serial Number: 02 00 00 b9 and SHA
fingerprint: d4:de:20:d0:5e:66:fc: 53:fe:1a:50:88:2c:78:db:28:52:ca:e4:74.
To trust this certificate, your SBC must have the certificate in Trusted
Certificates storage. Download the certificate from
https://cacert.omniroot.com/bc2025.pem and follow the steps above to import
the certificate to the Trusted Root storage.

Cheers,
--Sergiu



On Sun, Mar 29, 2020 at 10:14 AM Igor Olhovskiy <igorolhovskiy at gmail.com>
wrote:

> Thanks! That did the trick (Debian 10)
>
> [server:default]
> method = TLSv1.2+
> verify_certificate = yes
> require_certificate = yes
> private_key = /etc/kamailio/tls/myserver.key
> certificate = /etc/kamailio/tls/myserver.crt
> # Points to your root CA list
> ca_list = /etc/ssl/certs/ca-certificates.crt
>
> [client:default]
> method = TLSv1.2+
> verify_certificate = yes
> require_certificate = yes
> private_key = /etc/kamailio/tls/myserver.key
> certificate = /etc/kamailio/tls/myserver.crt
> ca_list = /etc/kamailio/tls/issuer.crt
>
> Now takes longer to reload TLS config and need to increase PKG/SHM size to
> process full list, but it's ok )
>
> On 29.03.2020 13:54, Alexey Vasilyev wrote:
>
> Hi Igor,
>
> Because these errors about verification of Microsoft certificate.
> /etc/kamailio/tls/issuer.cer should contain certificate authorities list,
> which contains trusted root certificates.
> For example, for CentOS7 /etc/ssl/certs/ca-bundle.crt
>
> -----
> Alexey Vasilyev
> alexei.vasilyev at gmail.com
>
>
>
> 29 Mar 2020, в 11:36, Igor Olhovskiy <igorolhovskiy at gmail.com> написал(а):
>
> Hi!
>
> Actually I’m trying to get Kamailio to work as MS Teams SBC following by
> perfect article
> https://skalatan.de/en/blog/kamailio-sbc-teams
> It works well, but one thing is bothering me.
> I’m using Let’sEncrypt certs (actually, works well), but with setting in
> *tls.conf*
>
> verify_certificate = yes
> require_certificate = yes
>
> It’s giving an errors like
>
> /usr/sbin/kamailio[4551]: ERROR: tls [tls_util.h:42]: tls_err_ret(): TLS
> write:error:1416F086:SSL
> routines:tls_process_server_certificate:certificate verify failed
> /usr/sbin/kamailio[4551]: ERROR: <core> [core/tcp_read.c:1505]:
> tcp_read_req(): ERROR: tcp_read_req: error reading - c: 0x7f03e6d23d88 r:
> 0x7f03e6d23e08 (-1)
>
> They are resolved with setting these settings (verify/require) to off
> (actually, as mentioned here -
> https://www.fredposner.com/1836/kamailio-tls-and-letsencrypt/), but I’m
> really curious - why?
>
> As I got, it’s using *openssl verify* on a background, but this check
> locally passed with
>
> openssl verify -CAfile issuer.crt myserver.crt
> myserver.crt: OK
>
> So, is there any tricks to lets encrypt or just some misconfig in
> *tls.cfg*?
>
> Now it looks like one from article
>
> [server:default]
> method = TLSv1.2+
> verify_certificate = yes
> require_certificate = yes
> private_key = /etc/kamailio/tls/myserver.key
> certificate = /etc/kamailio/tls/myserver.crt
> ca_list = /etc/kamailio/tls/issuer.crt
>
> [client:default]
> method = TLSv1.2+
> verify_certificate = yes
> require_certificate = yes
> private_key = /etc/kamailio/tls/myserver.key
> certificate = /etc/kamailio/tls/myserver.crt
> ca_list = /etc/kamailio/tls/issuer.crt
>> Regards, Igor
>
>
>
> _______________________________________________
> Kamailio (SER) - Users Mailing List
> sr-users at lists.kamailio.org
> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>
>
>
> _______________________________________________
> Kamailio (SER) - Users Mailing Listsr-users at lists.kamailio.orghttps://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>
> --
> Regards, Igor
>
> _______________________________________________
> Kamailio (SER) - Users Mailing List
> sr-users at lists.kamailio.org
> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20200329/6d80b1cc/attachment.html>


More information about the sr-users mailing list