Hi John,
You are probably looking over the documentation for the wrong OpenSIPS
version. The issues that you've mentioned appear in the 2.2 docs.
The 2.4 docs should mostly cover your questions, but nevertheless:
a) The domain field is only an identifier for the virtual TLS domain,
but for default domains, indeed there is a special value, 'default'.
b) * address - same meaning as the IP:port part of the 'server_domain'
parameter
* type - TLS client(1) or server(2) domain and 0 for defining both
a client and server default domain with the same attributes
* crl_check_all - check all files in the 'crl_dir'
* crl_dir - path to directory containing Certificate Revocation Lists
c) Both DB and script domains can be defined at the same time, but they
should be seen as different sets of domains, so you should set a
modparam only for a script defined domain.
The blob database fields indeed should contain the contents of the
certificates.
Regards,
Vlad Patrascu
OpenSIPS Developer
http://www.opensips-solutions.com
On 08/01/2018 06:55 PM, John Quick wrote:
Hi Bogdan,
Thanks for your response to my earlier query.
Im now trying to convert from modparam based definitions to provisioning
certs from the DB.
I cannot find a published example of a populated DB record in the tls_mgm
table.
Furthermore, the online documentation has gaps regarding DB Provisioning and
it also contains this error:
Section 1.7.14 describes a parameter db_mode, but if you try adding this it
generates an error "parameter <db_mode> not found in module"
Can you please help with an example record or at least answer these
questions:
a) What to put in the 'domain' field if I only want to set up one default
domain. Should it be "default"?
b) What are the following fields. I am not sure what they should contain:
'address', 'type', 'crl_check_all', 'crl_dir'
c) How does provisioning from DB interact with provisioning from static
modparam values?
I got errors when I commented out modparam statements for "certificate" and
"private_key" because the module was still looking for the "default" files,
even though I am now provisioning from the DB. This means there is now
ambiguity - certificates are defined both in files in modparam and also in
blob fields in the DB.
I assume the blob fields 'certificate', 'private_key' and 'ca_list' must
contain the contents of the certificate, not the path to the file.
This means I'll need to write a script to copy these data from the renewed
LetsEncrypt certificates before issuing the MI reload command.
By the way, the online module documentation for tls_mgm has a duplicate
section - 1.7.18 is same as 1.7.19
John Quick
Smartvox Limited
Bogdan-Andrei Iancu bogdan at opensips.org
Thu Jul 26 07:56:18 EDT 2018
Hi John, When the cert is configured via modparam, the cert is loaded on
startup by OpenSIPS, so any renewal of the cert will have 0 impact on
OpenSIPS - so you will have to restart after each renewal.
I suggest you to provision the certs via DB (and not script), so you can
do a reload after renewal, with any need to restart opensips.
Regards, Bogdan-Andrei Iancu
_______________________________________________
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
_______________________________________________
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
