[SR-Users] Issue with ca-list
George Goglidze
george at ipcorp.co.uk
Fri Nov 20 11:13:31 CET 2020
Hi Folks,
I was wondering if somebody could help me with an issue. I’m a newbie here, just installing Kamailio sip server.
I’ve enabled TLS, and am trying create a SIP Trunk to external SIP Service which is TLS enabled port 5061.
I’ve configured the following in tls.cfg:
[server:default]
method = TLSv1.2+
verify_certificate = yes
require_certificate = yes
private_key = /etc/kamailio/certs/sbc-private.pem
certificate = /etc/kamailio/certs/godaddy.pem
ca_list = /etc/kamailio/certs/calist.pem
In the section above – ca_list = calist.pem contains all the CA’s and Subordinates of the destination server.
Private_key and certificate are of my own server (public godaddy signed)
[client:default]
method = TLSv1.2+
verify_certificate = yes
require_certificate = yes
private_key = /etc/kamailio/certs/sbc-private.pem
certificate = /etc/kamailio/certs/godaddy.pem
ca_list = /etc/kamailio/certs/godaddyca.pem
In the section above the ca_list is godaddy’s ca and subordinate.
In the wireshark I can see that I’m sending out SIP OPTIONS PING (I’m using dispatcher module).
Then the server replies with tls SERVER HELLO which includes it’s certificate
But for some reason we are rejecting it:
Alert (level: fatal, Description: Unknown CA)
How should I set this up to make sure the remote server CA’s are verified?
Thank you,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20201120/d66d63d1/attachment.htm>
More information about the sr-users
mailing list