Thanks! That did the trick (Debian 10)
[server:default]
method = TLSv1.2+
verify_certificate = yes
require_certificate = yes
private_key = /etc/kamailio/tls/myserver.key
certificate = /etc/kamailio/tls/myserver.crt
# Points to your root CA list
ca_list = /etc/ssl/certs/ca-certificates.crt
[client:default]
method = TLSv1.2+
verify_certificate = yes
require_certificate = yes
private_key = /etc/kamailio/tls/myserver.key
certificate = /etc/kamailio/tls/myserver.crt
ca_list = /etc/kamailio/tls/issuer.crt
Now takes longer to reload TLS config and need to increase PKG/SHM size
to process full list, but it's ok )
On 29.03.2020 13:54, Alexey Vasilyev wrote:
Hi Igor,
Because these errors about verification of Microsoft certificate.
/etc/kamailio/tls/issuer.cer should contain certificate authorities
list, which contains trusted root certificates.
For example, for CentOS7 /etc/ssl/certs/ca-bundle.crt
-----
Alexey Vasilyev
[email protected] <mailto:[email protected]>
29 Mar 2020, в 11:36, Igor Olhovskiy <[email protected]
<mailto:[email protected]>> написал(а):
Hi!
Actually I’m trying to get Kamailio to work as MS Teams SBC following
by perfect article
https://skalatan.de/en/blog/kamailio-sbc-teams
It works well, but one thing is bothering me.
I’m using Let’sEncrypt certs (actually, works well), but with setting
in *tls.conf*
verify_certificate = yes
require_certificate = yes
It’s giving an errors like
/usr/sbin/kamailio[4551]: ERROR: tls [tls_util.h:42]: tls_err_ret():
TLS write:error:1416F086:SSL
routines:tls_process_server_certificate:certificate verify failed
/usr/sbin/kamailio[4551]: ERROR: <core> [core/tcp_read.c:1505]:
tcp_read_req(): ERROR: tcp_read_req: error reading - c:
0x7f03e6d23d88 r: 0x7f03e6d23e08 (-1)
They are resolved with setting these settings (verify/require) to off
(actually, as mentioned here -
https://www.fredposner.com/1836/kamailio-tls-and-letsencrypt/), but
I’m really curious - why?
As I got, it’s using *openssl verify* on a background, but this check
locally passed with
openssl verify -CAfile issuer.crt myserver.crt
myserver.crt: OK
So, is there any tricks to lets encrypt or just some misconfig in
*tls.cfg*?
Now it looks like one from article
[server:default]
method = TLSv1.2+
verify_certificate = yes
require_certificate = yes
private_key = /etc/kamailio/tls/myserver.key
certificate = /etc/kamailio/tls/myserver.crt
ca_list = /etc/kamailio/tls/issuer.crt
[client:default]
method = TLSv1.2+
verify_certificate = yes
require_certificate = yes
private_key = /etc/kamailio/tls/myserver.key
certificate = /etc/kamailio/tls/myserver.crt
ca_list = /etc/kamailio/tls/issuer.crt
—
Regards, Igor
_______________________________________________
Kamailio (SER) - Users Mailing List
[email protected] <mailto:[email protected]>
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
_______________________________________________
Kamailio (SER) - Users Mailing List
[email protected]
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
--
Regards, Igor
_______________________________________________
Kamailio (SER) - Users Mailing List
[email protected]
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
