Ok, thank you. Looks like problem solved. I just pointed same config certificates for client too and setting it on yes yes worked.
Thanks. Vitalie. On Fri, Jan 24, 2020 at 3:07 PM Social Boh <[email protected]> wrote: > I'm not sure but with let's encrypt you can create only server > certificate, not client certificate so you can't require and verify client > certificate. > > Regards > > --- > I'm SoCIaL, MayBe > > El 24/01/2020 a las 09:01, Bugaian A. Vitalie escribió: > > Ok, thanks. > > But my question is still about why verification fails/or what should be > chked to make it work. Not how to disable it. > > Thanks. > > Vitalie. > > On Fri, Jan 24, 2020 at 2:54 PM Social Boh <[email protected]> wrote: > >> Hello, >> >> changing: >> >> [client:default] >> #method = TLSv1.2+ >> verify_certificate = yes >> require_certificate = yes >> >> with >> >> [client:default] >> #method = TLSv1.2+ >> verify_certificate = no >> require_certificate = no >> >> --- >> I'm SoCIaL, MayBe >> >> El 24/01/2020 a las 08:46, Bugaian A. Vitalie escribió: >> >> Hello list, >> >> I have tried to setup my tls config tish LetsEncrypt following this post: >> >> https://www.fredposner.com/1836/kamailio-tls-and-letsencrypt/ >> >> My tls config looks like this: >> >> >> [server:default] >> method = TLSv1.2+ >> verify_certificate = no >> require_certificate = no >> private_key = /etc/letsencrypt/live/sbc.example.net-0001/privkey.pem >> certificate = /etc/letsencrypt/live/sbc.example.net-0001/fullchain.pem >> ca_list = /etc/letsencrypt/live/sbc.example.net-0001/ca_list.pem >> #ca_list = /usr/local/etc/kamailio/tls/cacert.pem >> #crl = /usr/local/etc/kamailio/tls/crl.pem >> server_name = sbc.example.net >> server_id = sbc.example.net >> >> #ca_list = /usr/local/etc/fullchain.pem >> #ca_list = /usr/local/etc/kamailio/tls/cacert.pem >> #crl = /usr/local/etc/kamailio/tls/crl.pem >> >> >> # --- >> # This is the default client domain profile. >> # Settings in this domain will be used for all outgoing >> # TLS connections that do not match any other >> # client domain in this configuration file. >> # We require that servers present valid certificate. >> # >> [client:default] >> #method = TLSv1.2+ >> verify_certificate = yes >> require_certificate = yes >> >> =================================== >> My ca_list has all certificates from >> cat /etc/ssl/certs/ca-certificates.crt >> /etc/letsencrypt/live/ >> sbcc.example.net/ca_list.pem >> >> I keep getting certificate validation failed see bellow: >> >> an 24 08:39:56 sbc.example.net /usr/local/sbin/kamailio[6371]: ERROR: >> tls [tls_util.h:42]: tls_err_ret(): TLS write:error:1416F086:SSL >> routines:tls_process_server_certificate:certificate verify failed >> Jan 24 08:39:56 sbc.example.net /usr/local/sbin/kamailio[6371]: ERROR: >> <core> [core/tcp_read.c:1505]: tcp_read_req(): ERROR: tcp_read_req: error >> reading - c: 0x7f0474421f68 r: 0x7f0474422028 (-1) >> Jan 24 08:39:56 sbc.example.net /usr/local/sbin/kamailio[6370]: ERROR: >> tls [tls_util.h:42]: tls_err_ret(): TLS write:error:1416F086:SSL >> routines:tls_process_server_certificate:certificate verify failed >> Jan 24 08:39:56 sbc.example.net /usr/local/sbin/kamailio[6370]: ERROR: >> <core> [core/tcp_read.c:1505]: tcp_read_req(): ERROR: tcp_read_req: error >> reading - c: 0x7f0474401cb8 r: 0x7f0474401d78 (-1) >> >> ===================== >> >> What params should I change or where to look for a solution on this one? >> >> Thanks. >> >> Vitalie A. Bugaian. >> >> _______________________________________________ >> Kamailio (SER) - Users Mailing >> [email protected]https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users >> >>
_______________________________________________ Kamailio (SER) - Users Mailing List [email protected] https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
