Re: [SR-Users] unable to get local issuer certificate
In case someone will face the same problem, here is the the correct certificate to add to Kamailio CA list: https://baltimore-cybertrust-root.chain-demos.digicert.com/info/index.html Thank you! ср, 11 трав. 2022 р. о 16:55 Володимир Іванець пише: > Hello all! > > According tothe "SBC doesn’t trust SIP proxy certificate" section from > https://docs.microsoft.com/en-us/microsoftteams/troubleshoot/phone-system/direct-routing/sip-options-tls-certificate-issues > I had to download and add their certificates to the CA list. I did that but > Kamailio still fails to verify MS certificate. > > Did anyone faced this problem? > > Thank you! > > вт, 10 трав. 2022 р. о 17:17 Володимир Іванець > пише: > >> Hello Olle! >> >> Thank you for the hint! I checked my test server where the connection was >> working before and now I see the same problem. Looks like Microsoft could >> update certificate on their side. Will try to find appropriate root and >> intermediate certificates. >> >> Thanks a lot! >> >> чт, 5 трав. 2022 р. о 17:52 Olle E. Johansson пише: >> >>> tls_dump_cert_info(): tls_connect: server certificate >>> issuer:/C=US/O=Microsoft Corporation/CN=Microsoft RSA TLS CA 01 >>> >>> THis is not sectigo signed - is my guess. It’s the other sides cert that >>> Kamailio can’t verify. You need to add that CA cert to the Kamailio CA >>> store. >>> >>> /O >>> >>> On 5 May 2022, at 14:09, Володимир Іванець >>> wrote: >>> >>> tls_dump_cert_info(): tls_connect: server certificate >>> issuer:/C=US/O=Microsoft Corporation/CN=Microsoft RSA TLS CA 01 >>> >>> >>> __ >>> Kamailio - Users Mailing List - Non Commercial Discussions >>> * sr-users@lists.kamailio.org >>> Important: keep the mailing list in the recipients, do not reply only to >>> the sender! >>> Edit mailing list options or unsubscribe: >>> * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users >>> >> __ Kamailio - Users Mailing List - Non Commercial Discussions * sr-users@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe: * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Re: [SR-Users] unable to get local issuer certificate
Hello all! According tothe "SBC doesn’t trust SIP proxy certificate" section from https://docs.microsoft.com/en-us/microsoftteams/troubleshoot/phone-system/direct-routing/sip-options-tls-certificate-issues I had to download and add their certificates to the CA list. I did that but Kamailio still fails to verify MS certificate. Did anyone faced this problem? Thank you! вт, 10 трав. 2022 р. о 17:17 Володимир Іванець пише: > Hello Olle! > > Thank you for the hint! I checked my test server where the connection was > working before and now I see the same problem. Looks like Microsoft could > update certificate on their side. Will try to find appropriate root and > intermediate certificates. > > Thanks a lot! > > чт, 5 трав. 2022 р. о 17:52 Olle E. Johansson пише: > >> tls_dump_cert_info(): tls_connect: server certificate >> issuer:/C=US/O=Microsoft Corporation/CN=Microsoft RSA TLS CA 01 >> >> THis is not sectigo signed - is my guess. It’s the other sides cert that >> Kamailio can’t verify. You need to add that CA cert to the Kamailio CA >> store. >> >> /O >> >> On 5 May 2022, at 14:09, Володимир Іванець >> wrote: >> >> tls_dump_cert_info(): tls_connect: server certificate >> issuer:/C=US/O=Microsoft Corporation/CN=Microsoft RSA TLS CA 01 >> >> >> __ >> Kamailio - Users Mailing List - Non Commercial Discussions >> * sr-users@lists.kamailio.org >> Important: keep the mailing list in the recipients, do not reply only to >> the sender! >> Edit mailing list options or unsubscribe: >> * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users >> > __ Kamailio - Users Mailing List - Non Commercial Discussions * sr-users@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe: * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Re: [SR-Users] unable to get local issuer certificate
Hello Olle! Thank you for the hint! I checked my test server where the connection was working before and now I see the same problem. Looks like Microsoft could update certificate on their side. Will try to find appropriate root and intermediate certificates. Thanks a lot! чт, 5 трав. 2022 р. о 17:52 Olle E. Johansson пише: > tls_dump_cert_info(): tls_connect: server certificate > issuer:/C=US/O=Microsoft Corporation/CN=Microsoft RSA TLS CA 01 > > THis is not sectigo signed - is my guess. It’s the other sides cert that > Kamailio can’t verify. You need to add that CA cert to the Kamailio CA > store. > > /O > > On 5 May 2022, at 14:09, Володимир Іванець > wrote: > > tls_dump_cert_info(): tls_connect: server certificate > issuer:/C=US/O=Microsoft Corporation/CN=Microsoft RSA TLS CA 01 > > > __ > Kamailio - Users Mailing List - Non Commercial Discussions > * sr-users@lists.kamailio.org > Important: keep the mailing list in the recipients, do not reply only to > the sender! > Edit mailing list options or unsubscribe: > * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users > __ Kamailio - Users Mailing List - Non Commercial Discussions * sr-users@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe: * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Re: [SR-Users] unable to get local issuer certificate
tls_dump_cert_info(): tls_connect: server certificate issuer:/C=US/O=Microsoft Corporation/CN=Microsoft RSA TLS CA 01 THis is not sectigo signed - is my guess. It’s the other sides cert that Kamailio can’t verify. You need to add that CA cert to the Kamailio CA store. /O > On 5 May 2022, at 14:09, Володимир Іванець wrote: > > tls_dump_cert_info(): tls_connect: server certificate > issuer:/C=US/O=Microsoft Corporation/CN=Microsoft RSA TLS CA 01 __ Kamailio - Users Mailing List - Non Commercial Discussions * sr-users@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe: * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
[SR-Users] unable to get local issuer certificate
Hello all! I'm trying to establish TLS connection but getting the following error. Can anyone point me in the right direction, please? tls_dump_verification_failure(): verification failure: unable to get local issuer certificate Kamailio version is 5.5.1. System runs on CentOS 7. At the moment tls.cfg configuration file looks like this: [server:default] method = TLSv1+ require_certificate = no verify_certificate = no private_key = /var/kamailio/certificates/default/server/key.pem certificate = /var/kamailio/certificates/default/server/cert.pem ca_list = /var/kamailio/certificates/default/CA/cert.pem [client:default] method = TLSv1+ require_certificate = no verify_certificate = no private_key = /var/kamailio/certificates/default/server/key.pem certificate = /var/kamailio/certificates/default/server/cert.pem ca_list = /var/kamailio/certificates/default/CA/cert.pem ca_list file contains root and intermediate certificates. Certificate was issued by Sectigo. It can be successfully verified with OpenSSL tool: # openssl verify -verbose -CAfile /var/kamailio/certificates/default/CA/cert.pem /var/kamailio/certificates/default/server/cert.pem /var/kamailio/certificates/default/server/cert.pem: OK Here is a fragment of Kamailio debug output: May 5 06:51:03 server kamailio[3834]: 5(3844) DEBUG: [core/tcp_main.c:1993]: tcp_send(): no open tcp connection found, opening new one May 5 06:51:03 server kamailio[3834]: 5(3844) DEBUG: [core/ip_addr.c:577]: print_ip(): tcpconn_new: new tcp connection: 52.114.132.46 May 5 06:51:03 server kamailio[3834]: 5(3844) DEBUG: [core/tcp_main.c:1175]: tcpconn_new(): on port 5061, type 3, socket -1 May 5 06:51:03 server kamailio[3834]: 5(3844) DEBUG: [core/tcp_main.c:1498]: tcpconn_add(): hashes: 3678:784:0, 230 May 5 06:51:03 server kamailio[3834]: 5(3844) DEBUG: tls [tls_server.c:244]: tls_complete_init(): completing tls connection initialization May 5 06:51:03 server kamailio[3834]: 5(3844) DEBUG: tls [tls_server.c:207]: tls_get_connect_server_name(): xavp with outbound server name not found May 5 06:51:03 server kamailio[3834]: 5(3844) DEBUG: tls [tls_server.c:180]: tls_get_connect_server_id(): xavp with outbound server id not found May 5 06:51:03 server kamailio[3834]: 5(3844) DEBUG: tls [tls_server.c:187]: tls_get_connect_server_id(): outbound server id not set May 5 06:51:03 server kamailio[3834]: 5(3844) DEBUG: tls [tls_server.c:274]: tls_complete_init(): Using initial TLS domain TLSc (dom 0x7f1cca178720 ctx 0x7f1cca29dbd0 sn []) May 5 06:51:03 server kamailio[3834]: 5(3844) DEBUG: tls [tls_domain.c:1208]: tls_lookup_private_key(): Private key lookup for SSL_CTX-0x7f1cca29dbd0: (nil) May 5 06:51:03 server kamailio[3834]: 5(3844) DEBUG: tls [tls_domain.c:778]: sr_ssl_ctx_info_callback(): SSL handshake started May 5 06:51:03 server kamailio[3834]: 5(3844) DEBUG: [core/tcp_main.c:2888]: tcpconn_1st_send(): pending write on new connection 0x7f1cca41fe18 sock 11 (-1/517 bytes written) (err: 11 - Resource temporarily unavailable) May 5 06:51:03 server kamailio[3834]: 5(3844) DEBUG: tm [uac.c:686]: send_prepared_request_impl(): uac: 0x7f1cca40bd50 branch: 0 to 52.114.132.46:5061 May 5 06:51:03 server kamailio[3834]: 5(3844) DEBUG: [core/onsend.c:50]: run_onsend(): required parameters are not available - ignoring May 5 06:51:03 server kamailio[3834]: 14(3853) DEBUG: [core/tcp_main.c:3793]: handle_ser_child(): read response= 7f1cca41fe18, 5, fd 26 from 5 (3844) May 5 06:51:03 server kamailio[3834]: 14(3853) DEBUG: [core/io_wait.h:375]: io_watch_add(): DBG: io_watch_add(0xae4760, 26, 2, 0x7f1cca41fe18), fd_no=20 May 5 06:51:03 server kamailio[3834]: 14(3853) DEBUG: [core/io_wait.h:782]: io_watch_chg(): DBG: io_watch_chg (0xae4760, 26, 0x1, 0x) fd_no=21 called May 5 06:51:03 server kamailio[3834]: 14(3853) DEBUG: [core/io_wait.h:782]: io_watch_chg(): DBG: io_watch_chg (0xae4760, 24, 0x1, 0x) fd_no=21 called May 5 06:51:03 server kamailio[3834]: 14(3853) DEBUG: [core/io_wait.h:600]: io_watch_del(): DBG: io_watch_del (0xae4760, 26, -1, 0x0) fd_no=21 called May 5 06:51:03 server kamailio[3834]: 14(3853) DEBUG: [core/tcp_main.c:4457]: handle_tcpconn_ev(): sending to child, events 1 May 5 06:51:03 server kamailio[3834]: 14(3853) DEBUG: [core/tcp_main.c:4130]: send2child(): selected tcp worker idx:3 proc:13 pid:3852 for activity on [tls:X.X.X.X:5062], 0x7f1cca41fe18 May 5 06:51:03 server kamailio[3834]: 13(3852) DEBUG: [core/tcp_read.c:1737]: handle_io(): received n=8 con=0x7f1cca41fe18, fd=6 May 5 06:51:03 server kamailio[3834]: 13(3852) DEBUG: tls [tls_domain.c:1208]: tls_lookup_private_key(): Private key lookup for SSL_CTX-0x7f1cca29dbd0: (nil) May 5 06:51:03 server kamailio[3834]: 14(3853) DEBUG: [core/io_wait.h:782]: io_watch_chg(): DBG: io_watch_chg (0xae4760, 25, 0x1, 0x) fd_no=20 called May 5 06:51:03 server kamailio[3834]: 13(3852) DEBUG: [core/tcp_main.c:2706]: tcpconn_do_send(): sending... May 5 06:51:03