Same vanilla version of `ca-certificates`:
``` root@ip-172-31-22-12:~# dpkg -l |grep ca-cert ii ca-certificates 20230311 all Common CA certificates ```
and just to verify the same number of certs:
``` root@ip-172-31-22-12:~# ls -l /etc/ssl/certs/|wc -l 282 root@ip-172-31-22-12:~# ls -l /etc/ssl/certs/*.crt|wc -l 1 root@ip-172-31-22-12:~# ls -l /etc/ssl/certs/*.pem|wc -l 140 root@ip-172-31-22-12:~# find /etc/ssl/certs/ -mindepth 1 -not -name '*.crt' -and -not -name '*.pem' |wc -l 140 ```
private_key and certificate are files instead of links in my case. the cert is a static self-signed cert, is has not been changed since initial install.
the error is consistent on `tls.reload`:
``` Feb 2 13:50:59 ip-172-31-22-12 /usr/sbin/kamailio[34076]: INFO: tls [tls_domain.c:345]: ksr_tls_fill_missing(): TLSs<default>: tls_method=25 Feb 2 13:50:59 ip-172-31-22-12 /usr/sbin/kamailio[34076]: INFO: tls [tls_domain.c:357]: ksr_tls_fill_missing(): TLSs<default>: certificate='/etc/dsiprouter/certs/dsiprouter-cert.pem' Feb 2 13:50:59 ip-172-31-22-12 /usr/sbin/kamailio[34076]: INFO: tls [tls_domain.c:364]: ksr_tls_fill_missing(): TLSs<default>: ca_list='/etc/dsiprouter/certs/ca-list.pem' Feb 2 13:50:59 ip-172-31-22-12 /usr/sbin/kamailio[34076]: INFO: tls [tls_domain.c:371]: ksr_tls_fill_missing(): TLSs<default>: ca_path='/etc/dsiprouter/certs/ca' Feb 2 13:50:59 ip-172-31-22-12 /usr/sbin/kamailio[34076]: INFO: tls [tls_domain.c:378]: ksr_tls_fill_missing(): TLSs<default>: crl='(null)' Feb 2 13:50:59 ip-172-31-22-12 /usr/sbin/kamailio[34076]: INFO: tls [tls_domain.c:382]: ksr_tls_fill_missing(): TLSs<default>: require_certificate=1 Feb 2 13:50:59 ip-172-31-22-12 /usr/sbin/kamailio[34076]: INFO: tls [tls_domain.c:390]: ksr_tls_fill_missing(): TLSs<default>: cipher_list='(null)' Feb 2 13:50:59 ip-172-31-22-12 /usr/sbin/kamailio[34076]: INFO: tls [tls_domain.c:397]: ksr_tls_fill_missing(): TLSs<default>: private_key='/etc/dsiprouter/certs/dsiprouter-key.pem' Feb 2 13:50:59 ip-172-31-22-12 /usr/sbin/kamailio[34076]: INFO: tls [tls_domain.c:401]: ksr_tls_fill_missing(): TLSs<default>: verify_certificate=1 Feb 2 13:50:59 ip-172-31-22-12 /usr/sbin/kamailio[34076]: INFO: tls [tls_domain.c:406]: ksr_tls_fill_missing(): TLSs<default>: verify_depth=9 Feb 2 13:50:59 ip-172-31-22-12 /usr/sbin/kamailio[34076]: INFO: tls [tls_domain.c:410]: ksr_tls_fill_missing(): TLSs<default>: verify_client=0 Feb 2 13:50:59 ip-172-31-22-12 /usr/sbin/kamailio[34076]: NOTICE: tls [tls_domain.c:1168]: ksr_tls_fix_domain(): registered server_name callback handler for socket [:0], server_name='<default>' ... Feb 2 13:50:59 ip-172-31-22-12 /usr/sbin/kamailio[34076]: ERROR: tls [tls_domain.c:590]: load_cert(): TLSs<default>: Unable to load certificate file '/etc/dsiprouter/certs/dsiprouter-cert.pem' Feb 2 13:50:59 ip-172-31-22-12 /usr/sbin/kamailio[34076]: ERROR: tls [tls_util.h:49]: tls_err_ret(): load_cert:error:03000072:digital envelope routines::decode error (sni: unknown) Feb 2 13:50:59 ip-172-31-22-12 /usr/sbin/kamailio[34076]: ERROR: tls [tls_util.h:49]: tls_err_ret(): load_cert:error:0A00018F:SSL routines::ee key too small (sni: unknown) ```
the `tls.reload` error occurs whether kamailio is run as non-root system user and as root user. it is definitely is not permissions.
what version of openssl are you on?
``` root@ip-172-31-22-12:~# openssl version OpenSSL 3.0.11 19 Sep 2023 (Library: OpenSSL 3.0.11 19 Sep 2023) ```