This was essentially the crux of my question. You'd have to look at the Kamailio unit file to see what options it sets. You might also be able to get the extrapolated command via service kamailio status. When using the -u and -g flags, I know that the process is initiated by root and then permissions are dropped to the user/group, but I don't know at one point they get dropped. I assume that the certificate and key have to be readable by the user/group. Note: Running as a lower privileged user is a GOOD thing.
Regards, Kaufman ________________________________ From: Richard Robson via sr-users <[email protected]> Sent: Wednesday, October 22, 2025 11:55 AM To: Chandramouli P via sr-users <[email protected]> Cc: Richard Robson <[email protected]> Subject: [SR-Users] Re: Unable to start Kamailio with TLS configuration CAUTION: This email originated from outside the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. It looks like tou have 700 for root user on th cert directory and are running kamailio as kamailio not route, which is correct, So can the kamailio user read the cert directory? R On 22/10/2025 16:48, Chandramouli P via sr-users wrote: Hello Ben, Thank you for your reply. When I was installing Kamailio, I followed this: groupadd -g 5000 kamailio useradd -u 5000 -g 5000 -d /var/run/kamailio -M -s /bin/false kamailio I am simply starting Kamailio like: systemctl start kamailio.service Please find the below output for the command that you shared with me: # kamailio -u kamailio -g kamailio -m 64 -M 16 Listening on udp: 10.122.0.4:5060<https://urldefense.com/v3/__http://10.122.0.4:5060__;!!KWzduNI!euEhO3uHr8Zw-n7Ip3RazzOIVZmpq1ogWxyFUM7FIqdssrK4IXvHxArHWlug3MlF_N_ZQrqZqoP1-QH6F7v7drs$> tcp: 10.122.0.4:5060<https://urldefense.com/v3/__http://10.122.0.4:5060__;!!KWzduNI!euEhO3uHr8Zw-n7Ip3RazzOIVZmpq1ogWxyFUM7FIqdssrK4IXvHxArHWlug3MlF_N_ZQrqZqoP1-QH6F7v7drs$> tls: 10.122.0.4:5061<https://urldefense.com/v3/__http://10.122.0.4:5061__;!!KWzduNI!euEhO3uHr8Zw-n7Ip3RazzOIVZmpq1ogWxyFUM7FIqdssrK4IXvHxArHWlug3MlF_N_ZQrqZqoP1-QH6U6xd7H4$> Aliases: tls: rtpengine:5061 tcp: rtpengine:5060 udp: rtpengine:5060 *: 10.122.0.4:* Thank you. Best Regards, Chandramouli. On Wed, Oct 22, 2025 at 8:46 PM Ben Kaufman via sr-users <[email protected]<mailto:[email protected]>> wrote: Are you using the user or group flags when starting Kamailio? kamailio -u kamailio -g kamailio -m 64 -M 16 Kaufman Senior Voice Engineer E: [email protected]<mailto:[email protected]> 24/7 support: 888.543.2000 [img] SIP.US<https://urldefense.com/v3/__https://sip.us__;!!KWzduNI!euEhO3uHr8Zw-n7Ip3RazzOIVZmpq1ogWxyFUM7FIqdssrK4IXvHxArHWlug3MlF_N_ZQrqZqoP1-QH6pGSJ3aI$> Client Support: 800.566.9810 SIPTRUNK<https://urldefense.com/v3/__https://siptrunk.com__;!!KWzduNI!euEhO3uHr8Zw-n7Ip3RazzOIVZmpq1ogWxyFUM7FIqdssrK4IXvHxArHWlug3MlF_N_ZQrqZqoP1-QH6iHLeDZs$> Client Support: 800.250.6510 Flowroute<https://flowroute.com> Client Support: 855.356.9768 ________________________________ From: Chandramouli P via sr-users <[email protected]<mailto:[email protected]>> Sent: Wednesday, October 22, 2025 9:49 AM To: Kamailio (SER) - Users Mailing List <[email protected]<mailto:[email protected]>> Cc: Chandramouli P <[email protected]<mailto:[email protected]>> Subject: [SR-Users] Re: Unable to start Kamailio with TLS configuration CAUTION: This email originated from outside the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. Hello Richard, Thank you for your reply. If you noticed the steps that I used to generate certificates, I had already given 700 permission to the "certs" directory. 1. mkdir -p /usr/local/etc/kamailio/certs 2. cd /usr/local/etc/kamailio/certs 3. chmod 700 /usr/local/etc/kamailio/certs [root@rtpengine kamailio]# pwd /usr/local/etc/kamailio [root@rtpengine kamailio]# [root@rtpengine kamailio]# ls -ll drwx------ 2 root root 150 Oct 22 17:48 certs [root@rtpengine kamailio]# ls -ll certs/ -rw-r--r-- 1 root root 1992 Oct 22 17:48 ca-cert.pem -rw-r--r-- 1 root root 41 Oct 22 17:48 ca-cert.srl -rw------- 1 root root 3243 Oct 22 17:48 ca-key.pem -rw-r--r-- 1 root root 0 Oct 22 17:48 crl.pem -rw-r--r-- 1 root root 1870 Oct 22 17:48 kamailio-cert.pem -rw------- 1 root root 3243 Oct 22 17:48 kamailio-key.pem -rw-r--r-- 1 root root 1675 Oct 22 17:48 kamailio-req.pem Please advise me, is there any other part that I missed? Thank you in advance. Best Regards, Chandramouli. On Wed, Oct 22, 2025 at 8:02 PM Richard Robson via sr-users <[email protected]<mailto:[email protected]>> wrote: from the error it looks like a permissions problem probably the 700 on the directory Oct 22 18:23:54 rtpengine /usr/local/sbin/kamailio[34391]: ERROR: tls [tls_domain.c:609]: load_cert(): TLSs<default>: Unable to load certificate file '/usr/local/etc/kamailio/certs/kamailio-cert.pem' Oct 22 18:23:54 rtpengine /usr/local/sbin/kamailio[34391]: ERROR: tls [tls_util.h:50]: tls_err_ret(): load_cert:error:0200100D:system library:fopen:Permission denied (sni: unknown) regards, Richard On 22/10/2025 14:14, Chandramouli P via sr-users wrote: Hello, Please find my server environment below: Operating System: RockyLinux 8.x and RHEL 8.x Kamailio version: 6.0.2 IP address: 10.122.0.4 I have generated SSL certificates using OpenSSL. After configuring Kamailio, I am unable to start Kamailio. Please find the steps that I used to generate certificates along with configuration at the below link: https://pastebin.com/Veu8z9Pr<https://urldefense.com/v3/__https://pastebin.com/Veu8z9Pr__;!!KWzduNI!ctTqkVdiFjvQqkvH9YSFdPOAaiLXbUHuOPjARk5Hm2IeQHl47TmNh41PBoqPqAEfXIBiLdFcA4d-b1lc_sZvGl8$> Any help would be appreciated and thanks in advance. Best Regards, Chandramouli. __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions -- [email protected]<mailto:[email protected]> To unsubscribe send an email to [email protected]<mailto:[email protected]> Important: keep the mailing list in the recipients, do not reply only to the sender! __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions -- [email protected]<mailto:[email protected]> To unsubscribe send an email to [email protected]<mailto:[email protected]> Important: keep the mailing list in the recipients, do not reply only to the sender! __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions -- [email protected]<mailto:[email protected]> To unsubscribe send an email to [email protected]<mailto:[email protected]> Important: keep the mailing list in the recipients, do not reply only to the sender! __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions -- [email protected]<mailto:[email protected]> To unsubscribe send an email to [email protected]<mailto:[email protected]> Important: keep the mailing list in the recipients, do not reply only to the sender!
__________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions -- [email protected] To unsubscribe send an email to [email protected] Important: keep the mailing list in the recipients, do not reply only to the sender!
