Make sure you are using a config FILE for the TLS-config, and not setting
the params directly in the KAMAILIO-CONFIG-FILE.
Specifically this:
$ cat tls.cfg
#
# Kamailio TLS Configuration File
#
# This is the default server domain, settings
# in this domain will be used for all incoming
# connections that do not match any other server
# domain in this configuration file.
#
[server:default]
method = TLSv1+
private_key = ...
certificate = ...
ca_list = ...
...
...
And then in kamailio.cfg:
modparam("tls", "config", "/etc/kamailio/tls.cfg")
Then you should be able to do `tls.reload` ...
Do no set the certificate config inside the kamailio.cfg config, that's the
bottom line.
Joel.
On Wed, Nov 20, 2024 at 11:47 AM Sergiu Pojoga via sr-users <
[email protected]> wrote:
> Looks like a cert file permissions issue.
>
> On Wed, Nov 20, 2024 at 1:35 PM Yuriy Nasida via sr-users <
> [email protected]> wrote:
>
>> Hello,
>>
>> I am using letsencrypt cert and key and do not want to restart kamailio
>> every 3 months to load new ones.
>> I know that there is: kamcmd tls.reload method but it has an error for
>> me.
>> error: 500 - Error while fixing TLS configuration (consult server log)
>>
>> I am checking the logs and see:
>>
>> kamailio[3865480]: INFO: tls [tls_domain.c:345]: ksr_tls_fill_missing():
>> TLSs<default>: tls_method=3
>> kamailio[3865480]: INFO: tls [tls_domain.c:357]: ksr_tls_fill_missing():
>> TLSs<default>: certificate='/etc/kamailio/certs/my_cert.crt'
>> kamailio[3865480]: INFO: tls [tls_domain.c:364]: ksr_tls_fill_missing():
>> TLSs<default>: ca_list='(null)'
>> kamailio[3865480]: INFO: tls [tls_domain.c:371]: ksr_tls_fill_missing():
>> TLSs<default>: ca_path='(null)'
>> kamailio[3865480]: INFO: tls [tls_domain.c:378]: ksr_tls_fill_missing():
>> TLSs<default>: crl='(null)'
>> kamailio[3865480]: INFO: tls [tls_domain.c:382]: ksr_tls_fill_missing():
>> TLSs<default>: require_certificate=0
>> kamailio[3865480]: INFO: tls [tls_domain.c:390]: ksr_tls_fill_missing():
>> TLSs<default>: cipher_list='(null)'
>> kamailio[3865480]: INFO: tls [tls_domain.c:397]: ksr_tls_fill_missing():
>> TLSs<default>: private_key='/etc/kamailio/certs/private.key'
>> kamailio[3865480]: INFO: tls [tls_domain.c:401]: ksr_tls_fill_missing():
>> TLSs<default>: verify_certificate=0
>> kamailio[3865480]: INFO: tls [tls_domain.c:406]: ksr_tls_fill_missing():
>> TLSs<default>: verify_depth=9
>> kamailio[3865480]: INFO: tls [tls_domain.c:410]: ksr_tls_fill_missing():
>> TLSs<default>: verify_client=0
>> kamailio[3865480]: NOTICE: tls [tls_domain.c:1168]: ksr_tls_fix_domain():
>> registered server_name callback handler for socket [:0],
>> server_name='<default>' ...
>> kamailio[3865480]: ERROR: tls [tls_domain.c:590]: load_cert():
>> TLSs<default>: Unable to load certificate file
>> '/etc/kamailio/certs/my_cert.crt'
>> kamailio[3865480]: ERROR: tls [tls_util.h:49]: tls_err_ret():
>> load_cert:error:03000072:digital envelope routines::decode error (sni:
>> unknown)
>> kamailio[3865480]: ERROR: tls [tls_util.h:49]: tls_err_ret():
>> load_cert:error:0A00018F:SSL routines::ee key too small (sni: unknown)
>>
>> Any advice ?
>>
>> It's interesting that there are not any errors in case I restart
>> kamailio. I can make TLS calls without problems.
>>
>> deb 12.5
>> version: kamailio 5.7.4 (x86_64/linux)
>>
>> __________________________________________________________
>> Kamailio - Users Mailing List - Non Commercial Discussions --
>> [email protected]
>> To unsubscribe send an email to [email protected]
>> Important: keep the mailing list in the recipients, do not reply only to
>> the sender!
>>
> __________________________________________________________
> Kamailio - Users Mailing List - Non Commercial Discussions --
> [email protected]
> To unsubscribe send an email to [email protected]
> Important: keep the mailing list in the recipients, do not reply only to
> the sender!
>
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions --
[email protected]
To unsubscribe send an email to [email protected]
Important: keep the mailing list in the recipients, do not reply only to the
sender!
