Re: [OpenSIPS-Users] OpenSIPS 3- TLS MGM unable to get local issuer certificate [error=20]

[Răzvan Crainea]

Hi, Sharad!

Only the server's certificate should be generated by letsencrypt. All 
the client's certificates should be generated by you and signed with the 
letsencrypt certificate.
If you want your clients to have their own letsencrypt certificate, 
you'll have to put the LetsEncrypt certificates in the Certificate 
Authority fields "ca_list" and/or "ca_dir" parameters.

Best regards,
Răzvan

On 2/22/20 4:33 AM, Sharad Kumar via Users wrote:
Hey guys,

I am struggling to make OpenSIPS 3 work with TLS. I tried various 
different ways to make this work but getting the same errors. SSL certs 
are generated via let's encrypt. Here is my config for tls_mgm module -



#### TLS Management Module
loadmodule "tls_mgm.so"
# Server defination
modparam("tls_mgm", "server_domain", "voip.securevoip.io")
modparam("tls_mgm", "match_ip_address", 
"[voip.securevoip.io]155.138.204.212:5061")
modparam("tls_mgm", "match_sip_domain", "[voip.securevoip.io]*")
modparam("tls_mgm", "ca_dir", 
"[voip.securevoip.io]/usr/local/etc/opensips/tls/")
modparam("tls_mgm","verify_cert", "[voip.securevoip.io]1")
modparam("tls_mgm","require_cert", "[voip.securevoip.io]1")
modparam("tls_mgm","tls_method", "[voip.securevoip.io]TLSv1_2")
modparam("tls_mgm","certificate", 
"[voip.securevoip.io]/usr/local/etc/opensips/tls/cert.pem")
modparam("tls_mgm","private_key", 
"[voip.securevoip.io]/usr/local/etc/opensips/tls/privkey.pem")
modparam("tls_mgm","ca_list", 
"[voip.securevoip.io]/usr/local/etc/opensips/tls/fullchain.pem")
modparam("tls_mgm", "tls_handshake_timeout", 300)
# Client domain defination
modparam("tls_mgm", "client_domain", "securevoip.io")
modparam("tls_mgm", "match_ip_address", "[securevoip.io]*")
modparam("tls_mgm", "match_sip_domain", "[securevoip.io]*")
modparam("tls_mgm", "ca_dir", "[securevoip.io]/usr/local/etc/opensips/tls/")
modparam("tls_mgm","verify_cert", "[securevoip.io]1")
modparam("tls_mgm","require_cert", "[securevoip.io]1")
modparam("tls_mgm","tls_method", "[securevoip.io]TLSv1_2")
modparam("tls_mgm","certificate", 
"[securevoip.io]/usr/local/etc/opensips/tls/cert.pem")
modparam("tls_mgm","private_key", 
"[securevoip.io]/usr/local/etc/opensips/tls/privkey.pem")

I am getting these erros -
Feb 22 02:25:26 opensips3-SBC /usr/local/sbin/opensips[1538]: 
NOTICE:tls_mgm:verify_callback: depth = 1, verify failure
Feb 22 02:25:26 opensips3-SBC /usr/local/sbin/opensips[1538]: 
NOTICE:tls_mgm:verify_callback: subject = 
/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/OU=Microsoft 
IT/CN=Microsoft IT TLS CA 4
Feb 22 02:25:26 opensips3-SBC /usr/local/sbin/opensips[1538]: 
NOTICE:tls_mgm:verify_callback: issuer  = 
/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
Feb 22 02:25:26 opensips3-SBC /usr/local/sbin/opensips[1538]: 
NOTICE:tls_mgm:verify_callback: verify error: unable to get local issuer 
certificate [error=20]
Feb 22 02:25:26 opensips3-SBC /usr/local/sbin/opensips[1538]: 
ERROR:proto_tls:tls_connect: New TLS connection to 52.114.132.46:5061 failed
Feb 22 02:25:26 opensips3-SBC /usr/local/sbin/opensips[1538]: 
ERROR:proto_tls:tls_connect: TLS error: 1 (ret=-1) err=Success(0)
Feb 22 02:25:26 opensips3-SBC /usr/local/sbin/opensips[1538]: 
ERROR:proto_tls:tls_print_errstack: TLS errstack: error:1416F086:SSL 
routines:tls_process_server_certificate:certificate verif

I would really appreciate if someone can help me out here.

Thank you

_______________________________________________
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users


--
Răzvan Crainea
OpenSIPS Core Developer
  http://www.opensips-solutions.com

_______________________________________________
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users