Back when I did my first TLS, I did it with https://www.fredposner.com/1836/kamailio-tls-and-letsencrypt/
It worked for me on the first try. Maybe give it a try. David On Thu, 15 Jul 2021 at 11:02, ThanhTruong <[email protected]> wrote: > Hi Henning and all, > > I can restart kamailio without error so i think kamailio can access the > certs file, am i right? > > Next, i can check the tls configuration via some command and result like: > > > openssl s_client -connect mydomain.com:4443 > > result is: > > CONNECTED(00000003) > depth=1 C = US, ST = US, L = HCM, O = mydomain.com, OU = mydomain.com, CN > = mydomain.com, emailAddress = [email protected] > verify error:num=19:self signed certificate in certificate chain > verify return:0 > --- > Certificate chain > 0 s:/ > C=US/ST=US/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/[email protected] > i:/ > C=US/ST=US/L=HCM/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/[email protected] > 1 s:/ > C=US/ST=US/L=HCM/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/[email protected] > i:/ > C=US/ST=US/L=HCM/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/[email protected] > --- > Server certificate > -----BEGIN CERTIFICATE----- > xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx > IKqnZKfVhfs= > -----END CERTIFICATE----- > > subject=/C=US/ST=US/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/[email protected] > > issuer=/C=US/ST=US/L=HCM/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/[email protected] > --- > No client certificate CA names sent > --- > SSL handshake has read 2890 bytes and written 391 bytes > --- > New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 > Server public key is 2048 bit > Secure Renegotiation IS supported > Compression: NONE > Expansion: NONE > SSL-Session: > Protocol : TLSv1.2 > Cipher : ECDHE-RSA-AES256-GCM-SHA384 > Session-ID: > 047913A6C905B007C53EB31C51CBED00FDF8BBBBC8ACDA79238314C3AF899776 > Session-ID-ctx: > Master-Key: > 98D20DD5C85389F6BA32F0CADC76789D03BA3534D45F446418120E8358ACE5142FC21C02E0E3E22090A9E5920F8AB835 > Key-Arg : None > PSK identity: None > PSK identity hint: None > SRP username: None > TLS session ticket lifetime hint: 7200 (seconds) > TLS session ticket: > 0000 - fa 90 a9 99 5e 02 04 26-ae bf ce f4 05 06 87 e0 > ....^..&........ > 0010 - d5 a7 f2 74 ac 4a 7d 0b-ae ba 53 a4 89 14 95 52 > ...t.J}...S....R > 0020 - 68 53 ea 9b e2 1d 23 ae-77 86 6b 74 21 5e 1e 88 > hS....#.w.kt!^.. > 0030 - 50 75 3f e4 2a 7a 95 63-5a 87 58 b8 ac c1 ae 85 > Pu?.*z.cZ.X..... > 0040 - d9 73 3d 4d 5f 27 df 37-37 98 02 15 0c 3c 62 96 > .s=M_'.77....<b. > 0050 - 50 22 cd 2c e9 b0 aa ba-3e e0 9e a5 65 17 35 3f > P".,....>...e.5? > 0060 - d5 2d 37 4a 99 1a 19 42-aa 63 6a 74 8b fe 70 72 > .-7J...B.cjt..pr > 0070 - b6 cc 3d e1 b1 f8 da ee-9c 31 db 25 eb 2a 22 f5 > ..=......1.%.*". > 0080 - 38 87 13 aa 13 c1 4c c4-f9 1a 83 1c 38 a8 a9 15 > 8.....L.....8... > 0090 - c4 70 cd 3f e5 0a 5e 5e-13 a3 13 a7 6d 29 0e 70 > .p.?..^^....m).p > 00a0 - fc 09 ee df e0 89 f6 48-29 04 1e 69 65 92 f0 e7 > .......H)..ie... > > Start Time: 1626338959 > Timeout : 300 (sec) > Verify return code: 19 (self signed certificate in certificate chain) > --- > > > or normal tls port 5061: > > openssl s_client -connect mydomain.com:5061 -tls1 > CONNECTED(00000003) > depth=1 C = US, ST = US, L = HCM, O = mydomain.com, OU = mydomain.com, CN > = mydomain.com, emailAddress = [email protected] > verify error:num=19:self signed certificate in certificate chain > verify return:0 > --- > Certificate chain > 0 s:/ > C=US/ST=US/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/[email protected] > i:/ > C=US/ST=US/L=HCM/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/[email protected] > 1 s:/ > C=US/ST=US/L=HCM/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/[email protected] > i:/ > C=US/ST=US/L=HCM/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/[email protected] > --- > Server certificate > -----BEGIN CERTIFICATE----- > MIIEVDCCAzygAwIBAgIBATANBgkqhkiG9w0BAQsFADCBtTELMAkGA1UEBhMCVVMx > xxxxxxxxxx... > IKqnZKfVhfs= > -----END CERTIFICATE----- > > subject=/C=US/ST=US/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/[email protected] > > issuer=/C=US/ST=US/L=HCM/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/[email protected] > --- > No client certificate CA names sent > --- > SSL handshake has read 2896 bytes and written 307 bytes > --- > New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA > Server public key is 2048 bit > Secure Renegotiation IS supported > Compression: NONE > Expansion: NONE > SSL-Session: > Protocol : TLSv1 > Cipher : ECDHE-RSA-AES256-SHA > Session-ID: > EF724C7926D18D0B727709E4D42650D2141EA44771E3FF8B566161F51095B0C7 > Session-ID-ctx: > Master-Key: > 61C323CD42A4447B4E662958EA4E5F9DE039A4F257342BBAED236E3B811D6052192FEC36CC245D810A847B9E5FFF54C6 > Key-Arg : None > PSK identity: None > PSK identity hint: None > SRP username: None > TLS session ticket lifetime hint: 7200 (seconds) > TLS session ticket: > 0000 - 45 b4 44 76 46 b2 f5 a5-39 a4 ec 4e 53 22 5c 20 > E.DvF...9..NS"\ > 0010 - d5 a7 f2 74 ac 4a 7d 0b-ae ba 53 a4 89 14 95 52 > ...t.J}...S....R > 0020 - fe 69 4e 7a 3e 23 ff 41-62 54 f1 71 f5 a3 a4 3f > .iNz>#.AbT.q...? > 0030 - 99 81 5c d9 71 b6 82 be-7e 17 19 a7 d3 55 6a c9 > ..\.q...~....Uj. > 0040 - 9f 9c da ef ef 35 54 30-6e 60 6f f1 e2 13 6c 95 > .....5T0n`o...l. > 0050 - 7e 2a 48 7b 07 51 57 2d-7d 69 7a 8a 46 34 9d 32 > ~*H{.QW-}iz.F4.2 > 0060 - b4 7f 4b a4 61 c6 3a 13-3d 86 af cf 22 be 50 63 > ..K.a.:.=...".Pc > 0070 - 93 41 3e 18 d3 37 38 bc-cb b2 83 ea 63 8a 1c c0 > .A>..78.....c... > 0080 - 5a a4 ed 35 18 85 17 9d-24 7c 87 25 ff 98 11 eb > Z..5....$|.%.... > 0090 - f6 1d 89 41 9b ba a1 18-03 0a 90 90 bd 76 c8 80 > ...A.........v.. > 00a0 - 44 1f 3a 8c 99 ac 2f ef-a5 e2 22 a6 58 9a e8 2a > D.:.../...".X..* > > Start Time: 1626339048 > Timeout : 7200 (sec) > Verify return code: 19 (self signed certificate in certificate chain) > > > > So, I am not sure what is my issue/wrong here. or can you help me to check > more? > > Thanks, > ThanhTruon > > On Jul 15, 2021, at 15:33, Henning Westerholt <[email protected]> wrote: > > Hello, > > please format your e-mail only with black – its really hard to read (it > might be related to my client, though). > > Have you already checked the file system access rights to the certs if > kamailio can actually read them? > > Cheers, > > Henning > > -- > Henning Westerholt – https://skalatan.de/blog/ > Kamailio services – https://gilawa.com > > *From:* sr-users <[email protected]> *On Behalf Of * > ThanhTruong > *Sent:* Thursday, July 15, 2021 5:09 AM > *To:* Kamailio (SER) - Users Mailing List <[email protected]> > *Subject:* Re: [SR-Users] please help to configure tls in kamailio for > webrtc client like simpl5 > > Hello Fred and all, > > I tried some changes, and result bellow. > > with : > > [server:default] > method = SSLv23 > verify_certificate = no > require_certificate = no > private_key = /etc/certs/mydomain.com/key.pem > certificate = /etc/certs/mydomain.com/cert.pem > ca_list = /etc/certs/demoCA/cert.pem > > [client:default] > verify_certificate = yes > require_certificate = yes > ~ > > error log: > > Jul 15 03:02:57 ip-172-31-44-170 sbin/kamailio[17590]: ERROR: tls > [tls_server.c:1283]: tls_h_read_f(): protocol level error > Jul 15 03:02:57 ip-172-31-44-170 sbin/kamailio[17590]: ERROR: tls > [tls_util.h:42]: tls_err_ret(): TLS accept:error:14094416:SSL > routines:ssl3_read_bytes:sslv3 alert certificate unknown > Jul 15 03:02:57 ip-172-31-44-170 sbin/kamailio[17590]: ERROR: tls > [tls_server.c:1287]: tls_h_read_f(): source IP: 27.65.214.194 > Jul 15 03:02:57 ip-172-31-44-170 sbin/kamailio[17590]: ERROR: tls > [tls_server.c:1290]: tls_h_read_f(): destination IP: 172.31.44.170 > > > With settings: > > [server:default] > method = SSLv23 > verify_certificate = no > require_certificate = no > private_key = /etc/certs/mydomain.com/key.pem > certificate = /etc/certs/mydomain.com/cert.pem > ca_list = /etc/certs/demoCA/cert.pem > > [client:default] > verify_certificate = no > require_certificate = no > ~ > > and error log: > > Jul 15 03:05:28 ip-172-31-44-170 sbin/kamailio[17648]: ERROR: tls > [tls_server.c:1283]: tls_h_read_f(): protocol level error > Jul 15 03:05:28 ip-172-31-44-170 sbin/kamailio[17648]: ERROR: tls > [tls_util.h:42]: tls_err_ret(): TLS accept:error:14094416:SSL > routines:ssl3_read_bytes:sslv3 alert certificate unknown > Jul 15 03:05:28 ip-172-31-44-170 sbin/kamailio[17648]: ERROR: tls > [tls_server.c:1287]: tls_h_read_f(): source IP: 27.65.214.194 > Jul 15 03:05:28 ip-172-31-44-170 sbin/kamailio[17648]: ERROR: tls > [tls_server.c:1290]: tls_h_read_f(): destination IP: 172.31.44.170 > Jul 15 03:05:28 ip-172-31-44-170 sbin/kamailio[17648]: ERROR: <core> > [core/tcp_read.c:1493]: tcp_read_req(): ERROR: tcp_read_req: error reading > - c: 0x7fd64ee4bfc0 r: 0x7fd64ee4c0e8 (-1) > > > and tried: > > [server:default] > method = SSLv23 > verify_certificate = yes > require_certificate = yes > private_key = /etc/certs/mydomain.com/key.pem > certificate = /etc/certs/mydomain.com/cert.pem > ca_list = /etc/certs/demoCA/cert.pem > > [client:default] > verify_certificate = no > require_certificate = no > > and error log: > > Jul 15 03:06:37 ip-172-31-44-170 sbin/kamailio[17703]: ERROR: tls > [tls_server.c:1283]: tls_h_read_f(): protocol level error > Jul 15 03:06:37 ip-172-31-44-170 sbin/kamailio[17703]: ERROR: tls > [tls_util.h:42]: tls_err_ret(): TLS accept:error:14094416:SSL > routines:ssl3_read_bytes:sslv3 alert certificate unknown > Jul 15 03:06:37 ip-172-31-44-170 sbin/kamailio[17703]: ERROR: tls > [tls_server.c:1287]: tls_h_read_f(): source IP: 27.65.214.194 > Jul 15 03:06:37 ip-172-31-44-170 sbin/kamailio[17703]: ERROR: tls > [tls_server.c:1290]: tls_h_read_f(): destination IP: 172.31.44.170 > Jul 15 03:06:37 ip-172-31-44-170 sbin/kamailio[17703]: ERROR: <core> > [core/tcp_read.c:1493]: tcp_read_req(): ERROR: tcp_read_req: error reading > - c: 0x7f222a018fc0 r: 0x7f222a0190e8 (-1) > > > Then, i try with TLSv1+ > > > [server:default] > method = TLSv1+ > verify_certificate = yes > require_certificate = yes > private_key = /etc/certs/mydomain.com/key.pem > certificate = /etc/certs/mydomain.com/cert.pem > > ca_list = /etc/certs/demoCA/cert.pem > > [client:default] > verify_certificate = no > require_certificate = no > > and log is: > > Jul 15 03:08:33 ip-172-31-44-170 sbin/kamailio[17826]: ERROR: tls > [tls_server.c:1283]: tls_h_read_f(): protocol level error > Jul 15 03:08:33 ip-172-31-44-170 sbin/kamailio[17826]: ERROR: tls > [tls_util.h:42]: tls_err_ret(): TLS accept:error:14094416:SSL > routines:ssl3_read_bytes:sslv3 alert certificate unknown > Jul 15 03:08:33 ip-172-31-44-170 sbin/kamailio[17826]: ERROR: tls > [tls_server.c:1287]: tls_h_read_f(): source IP: 27.65.214.194 > Jul 15 03:08:33 ip-172-31-44-170 sbin/kamailio[17826]: ERROR: tls > [tls_server.c:1290]: tls_h_read_f(): destination IP: 172.31.44.170 > Jul 15 03:08:33 ip-172-31-44-170 sbin/kamailio[17826]: ERROR: <core> > [core/tcp_read.c:1493]: tcp_read_req(): ERROR: tcp_read_req: error reading > - c: 0x7f9fd21cefc0 r: 0x7f9fd21cf0e8 (-1) > > > I am sorry to border you and all, but i dont know how to get it works, > please suggest. > > thank you so much. > > > > On Jul 15, 2021, at 01:10, Fred Posner <[email protected]> wrote: > > On 7/14/21 2:04 PM, ThanhTruong wrote: > > verify_certificate =yes > require_certificate =yes > > > Change both of those to no in your case. > > -- > Fred Posner -- www.palner.com > Matrix: @fred:matrix.lod.com > > __________________________________________________________ > Kamailio - Users Mailing List - Non Commercial Discussions > * [email protected] > Important: keep the mailing list in the recipients, do not reply only to > the sender! > Edit mailing list options or unsubscribe: > * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users > > > __________________________________________________________ > Kamailio - Users Mailing List - Non Commercial Discussions > * [email protected] > Important: keep the mailing list in the recipients, do not reply only to > the sender! > Edit mailing list options or unsubscribe: > * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users > -- Regards, David Villasmil email: [email protected] phone: +34669448337
__________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions * [email protected] Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe: * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
