I'm not sure but with let's encrypt you can create only server
certificate, not client certificate so you can't require and verify
client certificate.
Regards
---
I'm SoCIaL, MayBe
El 24/01/2020 a las 09:01, Bugaian A. Vitalie escribió:
Ok, thanks.
But my question is still about why verification fails/or what should
be chked to make it work. Not how to disable it.
Thanks.
Vitalie.
On Fri, Jan 24, 2020 at 2:54 PM Social Boh <[email protected]
<mailto:[email protected]>> wrote:
Hello,
changing:
[client:default]
#method = TLSv1.2+
verify_certificate = yes
require_certificate = yes
with
[client:default]
#method = TLSv1.2+
verify_certificate = no
require_certificate = no
---
I'm SoCIaL, MayBe
El 24/01/2020 a las 08:46, Bugaian A. Vitalie escribió:
Hello list,
I have tried to setup my tls config tish LetsEncrypt following
this post:
https://www.fredposner.com/1836/kamailio-tls-and-letsencrypt/
My tls config looks like this:
[server:default]
method = TLSv1.2+
verify_certificate = no
require_certificate = no
private_key = /etc/letsencrypt/live/sbc.example.net-0001/privkey.pem
certificate =
/etc/letsencrypt/live/sbc.example.net-0001/fullchain.pem
ca_list = /etc/letsencrypt/live/sbc.example.net-0001/ca_list.pem
#ca_list = /usr/local/etc/kamailio/tls/cacert.pem
#crl = /usr/local/etc/kamailio/tls/crl.pem
server_name = sbc.example.net <http://sbc.example.net>
server_id = sbc.example.net <http://sbc.example.net>
#ca_list = /usr/local/etc/fullchain.pem
#ca_list = /usr/local/etc/kamailio/tls/cacert.pem
#crl = /usr/local/etc/kamailio/tls/crl.pem
# ---
# This is the default client domain profile.
# Settings in this domain will be used for all outgoing
# TLS connections that do not match any other
# client domain in this configuration file.
# We require that servers present valid certificate.
#
[client:default]
#method = TLSv1.2+
verify_certificate = yes
require_certificate = yes
===================================
My ca_list has all certificates from
cat /etc/ssl/certs/ca-certificates.crt >>
/etc/letsencrypt/live/sbcc.example.net/ca_list.pem
<http://sbcc.example.net/ca_list.pem>
I keep getting certificate validation failed see bellow:
an 24 08:39:56 sbc.example.net <http://sbc.example.net>
/usr/local/sbin/kamailio[6371]: ERROR: tls [tls_util.h:42]:
tls_err_ret(): TLS write:error:1416F086:SSL
routines:tls_process_server_certificate:certificate verify failed
Jan 24 08:39:56 sbc.example.net <http://sbc.example.net>
/usr/local/sbin/kamailio[6371]: ERROR: <core>
[core/tcp_read.c:1505]: tcp_read_req(): ERROR: tcp_read_req:
error reading - c: 0x7f0474421f68 r: 0x7f0474422028 (-1)
Jan 24 08:39:56 sbc.example.net <http://sbc.example.net>
/usr/local/sbin/kamailio[6370]: ERROR: tls [tls_util.h:42]:
tls_err_ret(): TLS write:error:1416F086:SSL
routines:tls_process_server_certificate:certificate verify failed
Jan 24 08:39:56 sbc.example.net <http://sbc.example.net>
/usr/local/sbin/kamailio[6370]: ERROR: <core>
[core/tcp_read.c:1505]: tcp_read_req(): ERROR: tcp_read_req:
error reading - c: 0x7f0474401cb8 r: 0x7f0474401d78 (-1)
=====================
What params should I change or where to look for a solution on
this one?
Thanks.
Vitalie A. Bugaian.
_______________________________________________
Kamailio (SER) - Users Mailing List
[email protected] <mailto:[email protected]>
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
_______________________________________________
Kamailio (SER) - Users Mailing List
[email protected]
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
