subject:"\[SR\-Users\] unable to get local issuer certificate"

Re: [SR-Users] unable to get local issuer certificate

2022-05-12 Thread Володимир Іванець

In case someone will face the same problem, here is the the correct
certificate to add to Kamailio CA list:
https://baltimore-cybertrust-root.chain-demos.digicert.com/info/index.html

Thank you!

ср, 11 трав. 2022 р. о 16:55 Володимир Іванець 
пише:

> Hello all!
>
> According tothe "SBC doesn’t trust SIP proxy certificate" section from
> https://docs.microsoft.com/en-us/microsoftteams/troubleshoot/phone-system/direct-routing/sip-options-tls-certificate-issues
> I had to download and add their certificates to the CA list. I did that but
> Kamailio still fails to verify MS certificate.
>
> Did anyone faced this problem?
>
> Thank you!
>
> вт, 10 трав. 2022 р. о 17:17 Володимир Іванець 
> пише:
>
>> Hello Olle!
>>
>> Thank you for the hint! I checked my test server where the connection was
>> working before and now I see the same problem. Looks like Microsoft could
>> update certificate on their side. Will try to find appropriate root and
>> intermediate certificates.
>>
>> Thanks a lot!
>>
>> чт, 5 трав. 2022 р. о 17:52 Olle E. Johansson  пише:
>>
>>> tls_dump_cert_info(): tls_connect: server certificate
>>> issuer:/C=US/O=Microsoft Corporation/CN=Microsoft RSA TLS CA 01
>>>
>>> THis is not sectigo signed - is my guess. It’s the other sides cert that
>>> Kamailio can’t verify. You need to add that CA cert to the Kamailio CA
>>> store.
>>>
>>> /O
>>>
>>> On 5 May 2022, at 14:09, Володимир Іванець 
>>> wrote:
>>>
>>> tls_dump_cert_info(): tls_connect: server certificate
>>> issuer:/C=US/O=Microsoft Corporation/CN=Microsoft RSA TLS CA 01
>>>
>>>
>>> __
>>> Kamailio - Users Mailing List - Non Commercial Discussions
>>>   * sr-users@lists.kamailio.org
>>> Important: keep the mailing list in the recipients, do not reply only to
>>> the sender!
>>> Edit mailing list options or unsubscribe:
>>>   * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>>>
>>
__
Kamailio - Users Mailing List - Non Commercial Discussions
  * sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the 
sender!
Edit mailing list options or unsubscribe:
  * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users

Re: [SR-Users] unable to get local issuer certificate

2022-05-11 Thread Володимир Іванець

Hello all!

According tothe "SBC doesn’t trust SIP proxy certificate" section from
https://docs.microsoft.com/en-us/microsoftteams/troubleshoot/phone-system/direct-routing/sip-options-tls-certificate-issues
I had to download and add their certificates to the CA list. I did that but
Kamailio still fails to verify MS certificate.

Did anyone faced this problem?

Thank you!

вт, 10 трав. 2022 р. о 17:17 Володимир Іванець 
пише:

> Hello Olle!
>
> Thank you for the hint! I checked my test server where the connection was
> working before and now I see the same problem. Looks like Microsoft could
> update certificate on their side. Will try to find appropriate root and
> intermediate certificates.
>
> Thanks a lot!
>
> чт, 5 трав. 2022 р. о 17:52 Olle E. Johansson  пише:
>
>> tls_dump_cert_info(): tls_connect: server certificate
>> issuer:/C=US/O=Microsoft Corporation/CN=Microsoft RSA TLS CA 01
>>
>> THis is not sectigo signed - is my guess. It’s the other sides cert that
>> Kamailio can’t verify. You need to add that CA cert to the Kamailio CA
>> store.
>>
>> /O
>>
>> On 5 May 2022, at 14:09, Володимир Іванець 
>> wrote:
>>
>> tls_dump_cert_info(): tls_connect: server certificate
>> issuer:/C=US/O=Microsoft Corporation/CN=Microsoft RSA TLS CA 01
>>
>>
>> __
>> Kamailio - Users Mailing List - Non Commercial Discussions
>>   * sr-users@lists.kamailio.org
>> Important: keep the mailing list in the recipients, do not reply only to
>> the sender!
>> Edit mailing list options or unsubscribe:
>>   * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>>
>
__
Kamailio - Users Mailing List - Non Commercial Discussions
  * sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the 
sender!
Edit mailing list options or unsubscribe:
  * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users

Re: [SR-Users] unable to get local issuer certificate

2022-05-10 Thread Володимир Іванець

Hello Olle!

Thank you for the hint! I checked my test server where the connection was
working before and now I see the same problem. Looks like Microsoft could
update certificate on their side. Will try to find appropriate root and
intermediate certificates.

Thanks a lot!

чт, 5 трав. 2022 р. о 17:52 Olle E. Johansson  пише:

> tls_dump_cert_info(): tls_connect: server certificate
> issuer:/C=US/O=Microsoft Corporation/CN=Microsoft RSA TLS CA 01
>
> THis is not sectigo signed - is my guess. It’s the other sides cert that
> Kamailio can’t verify. You need to add that CA cert to the Kamailio CA
> store.
>
> /O
>
> On 5 May 2022, at 14:09, Володимир Іванець 
> wrote:
>
> tls_dump_cert_info(): tls_connect: server certificate
> issuer:/C=US/O=Microsoft Corporation/CN=Microsoft RSA TLS CA 01
>
>
> __
> Kamailio - Users Mailing List - Non Commercial Discussions
>   * sr-users@lists.kamailio.org
> Important: keep the mailing list in the recipients, do not reply only to
> the sender!
> Edit mailing list options or unsubscribe:
>   * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>
__
Kamailio - Users Mailing List - Non Commercial Discussions
  * sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the 
sender!
Edit mailing list options or unsubscribe:
  * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users

Re: [SR-Users] unable to get local issuer certificate

2022-05-05 Thread Olle E. Johansson

tls_dump_cert_info(): tls_connect: server certificate issuer:/C=US/O=Microsoft 
Corporation/CN=Microsoft RSA TLS CA 01

THis is not sectigo signed - is my guess. It’s the other sides cert that 
Kamailio can’t verify. You need to add that CA cert to the Kamailio CA store.

/O

> On 5 May 2022, at 14:09, Володимир Іванець  wrote:
> 
> tls_dump_cert_info(): tls_connect: server certificate 
> issuer:/C=US/O=Microsoft Corporation/CN=Microsoft RSA TLS CA 01

__
Kamailio - Users Mailing List - Non Commercial Discussions
  * sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the 
sender!
Edit mailing list options or unsubscribe:
  * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users

[SR-Users] unable to get local issuer certificate

2022-05-05 Thread Володимир Іванець

Hello all!

I'm trying to establish TLS connection but getting the following error. Can
anyone point me in the right direction, please?

tls_dump_verification_failure(): verification failure: unable to get local
issuer certificate


Kamailio version is 5.5.1. System runs on CentOS 7.

At the moment tls.cfg configuration file looks like this:

[server:default]
method = TLSv1+
require_certificate = no
verify_certificate = no
private_key = /var/kamailio/certificates/default/server/key.pem
certificate = /var/kamailio/certificates/default/server/cert.pem
ca_list = /var/kamailio/certificates/default/CA/cert.pem


[client:default]
method = TLSv1+
require_certificate = no
verify_certificate = no
private_key = /var/kamailio/certificates/default/server/key.pem
certificate = /var/kamailio/certificates/default/server/cert.pem
ca_list = /var/kamailio/certificates/default/CA/cert.pem


ca_list file contains root and intermediate certificates. Certificate was
issued by Sectigo. It can be successfully verified with OpenSSL tool:

# openssl verify -verbose -CAfile
/var/kamailio/certificates/default/CA/cert.pem
/var/kamailio/certificates/default/server/cert.pem
/var/kamailio/certificates/default/server/cert.pem: OK


Here is a fragment of Kamailio debug output:

May  5 06:51:03 server kamailio[3834]: 5(3844) DEBUG: 
[core/tcp_main.c:1993]: tcp_send(): no open tcp connection found, opening
new one
May  5 06:51:03 server kamailio[3834]: 5(3844) DEBUG: 
[core/ip_addr.c:577]: print_ip(): tcpconn_new: new tcp connection:
52.114.132.46
May  5 06:51:03 server kamailio[3834]: 5(3844) DEBUG: 
[core/tcp_main.c:1175]: tcpconn_new(): on port 5061, type 3, socket -1
May  5 06:51:03 server kamailio[3834]: 5(3844) DEBUG: 
[core/tcp_main.c:1498]: tcpconn_add(): hashes: 3678:784:0, 230
May  5 06:51:03 server kamailio[3834]: 5(3844) DEBUG: tls
[tls_server.c:244]: tls_complete_init(): completing tls connection
initialization
May  5 06:51:03 server kamailio[3834]: 5(3844) DEBUG: tls
[tls_server.c:207]: tls_get_connect_server_name(): xavp with outbound
server name not found
May  5 06:51:03 server kamailio[3834]: 5(3844) DEBUG: tls
[tls_server.c:180]: tls_get_connect_server_id(): xavp with outbound server
id not found
May  5 06:51:03 server kamailio[3834]: 5(3844) DEBUG: tls
[tls_server.c:187]: tls_get_connect_server_id(): outbound server id not set
May  5 06:51:03 server kamailio[3834]: 5(3844) DEBUG: tls
[tls_server.c:274]: tls_complete_init(): Using initial TLS domain
TLSc (dom 0x7f1cca178720 ctx 0x7f1cca29dbd0 sn [])
May  5 06:51:03 server kamailio[3834]: 5(3844) DEBUG: tls
[tls_domain.c:1208]: tls_lookup_private_key(): Private key lookup for
SSL_CTX-0x7f1cca29dbd0: (nil)
May  5 06:51:03 server kamailio[3834]: 5(3844) DEBUG: tls
[tls_domain.c:778]: sr_ssl_ctx_info_callback(): SSL handshake started
May  5 06:51:03 server kamailio[3834]: 5(3844) DEBUG: 
[core/tcp_main.c:2888]: tcpconn_1st_send(): pending write on new connection
0x7f1cca41fe18 sock 11 (-1/517 bytes written) (err: 11 - Resource
temporarily unavailable)
May  5 06:51:03 server kamailio[3834]: 5(3844) DEBUG: tm [uac.c:686]:
send_prepared_request_impl(): uac: 0x7f1cca40bd50  branch: 0  to
52.114.132.46:5061
May  5 06:51:03 server kamailio[3834]: 5(3844) DEBUG: 
[core/onsend.c:50]: run_onsend(): required parameters are not available -
ignoring
May  5 06:51:03 server kamailio[3834]: 14(3853) DEBUG: 
[core/tcp_main.c:3793]: handle_ser_child(): read response= 7f1cca41fe18, 5,
fd 26 from 5 (3844)
May  5 06:51:03 server kamailio[3834]: 14(3853) DEBUG: 
[core/io_wait.h:375]: io_watch_add(): DBG: io_watch_add(0xae4760, 26, 2,
0x7f1cca41fe18), fd_no=20
May  5 06:51:03 server kamailio[3834]: 14(3853) DEBUG: 
[core/io_wait.h:782]: io_watch_chg(): DBG: io_watch_chg (0xae4760, 26, 0x1,
0x) fd_no=21 called
May  5 06:51:03 server kamailio[3834]: 14(3853) DEBUG: 
[core/io_wait.h:782]: io_watch_chg(): DBG: io_watch_chg (0xae4760, 24, 0x1,
0x) fd_no=21 called
May  5 06:51:03 server kamailio[3834]: 14(3853) DEBUG: 
[core/io_wait.h:600]: io_watch_del(): DBG: io_watch_del (0xae4760, 26, -1,
0x0) fd_no=21 called
May  5 06:51:03 server kamailio[3834]: 14(3853) DEBUG: 
[core/tcp_main.c:4457]: handle_tcpconn_ev(): sending to child, events 1
May  5 06:51:03 server kamailio[3834]: 14(3853) DEBUG: 
[core/tcp_main.c:4130]: send2child(): selected tcp worker idx:3 proc:13
pid:3852 for activity on [tls:X.X.X.X:5062], 0x7f1cca41fe18
May  5 06:51:03 server kamailio[3834]: 13(3852) DEBUG: 
[core/tcp_read.c:1737]: handle_io(): received n=8 con=0x7f1cca41fe18, fd=6
May  5 06:51:03 server kamailio[3834]: 13(3852) DEBUG: tls
[tls_domain.c:1208]: tls_lookup_private_key(): Private key lookup for
SSL_CTX-0x7f1cca29dbd0: (nil)
May  5 06:51:03 server kamailio[3834]: 14(3853) DEBUG: 
[core/io_wait.h:782]: io_watch_chg(): DBG: io_watch_chg (0xae4760, 25, 0x1,
0x) fd_no=20 called
May  5 06:51:03 server kamailio[3834]: 13(3852) DEBUG: 
[core/tcp_main.c:2706]: tcpconn_do_send(): sending...
May  5 06:51:03

Re: [SR-Users] unable to get local issuer certificate

Re: [SR-Users] unable to get local issuer certificate

Re: [SR-Users] unable to get local issuer certificate

Re: [SR-Users] unable to get local issuer certificate

[SR-Users] unable to get local issuer certificate

5 matches

Site Navigation

Mail list logo

Footer information