Hello,
I am using letsencrypt cert and key and do not want to restart kamailio every 3 months to load new ones. I know that there is: kamcmd tls.reload method but it has an error for me. error: 500 - Error while fixing TLS configuration (consult server log)
I am checking the logs and see:
kamailio[3865480]: INFO: tls [tls_domain.c:345]: ksr_tls_fill_missing(): TLSs<default>: tls_method=3 kamailio[3865480]: INFO: tls [tls_domain.c:357]: ksr_tls_fill_missing(): TLSs<default>: certificate='/etc/kamailio/certs/my_cert.crt' kamailio[3865480]: INFO: tls [tls_domain.c:364]: ksr_tls_fill_missing(): TLSs<default>: ca_list='(null)' kamailio[3865480]: INFO: tls [tls_domain.c:371]: ksr_tls_fill_missing(): TLSs<default>: ca_path='(null)' kamailio[3865480]: INFO: tls [tls_domain.c:378]: ksr_tls_fill_missing(): TLSs<default>: crl='(null)' kamailio[3865480]: INFO: tls [tls_domain.c:382]: ksr_tls_fill_missing(): TLSs<default>: require_certificate=0 kamailio[3865480]: INFO: tls [tls_domain.c:390]: ksr_tls_fill_missing(): TLSs<default>: cipher_list='(null)' kamailio[3865480]: INFO: tls [tls_domain.c:397]: ksr_tls_fill_missing(): TLSs<default>: private_key='/etc/kamailio/certs/private.key' kamailio[3865480]: INFO: tls [tls_domain.c:401]: ksr_tls_fill_missing(): TLSs<default>: verify_certificate=0 kamailio[3865480]: INFO: tls [tls_domain.c:406]: ksr_tls_fill_missing(): TLSs<default>: verify_depth=9 kamailio[3865480]: INFO: tls [tls_domain.c:410]: ksr_tls_fill_missing(): TLSs<default>: verify_client=0 kamailio[3865480]: NOTICE: tls [tls_domain.c:1168]: ksr_tls_fix_domain(): registered server_name callback handler for socket [:0], server_name='<default>' ... kamailio[3865480]: ERROR: tls [tls_domain.c:590]: load_cert(): TLSs<default>: Unable to load certificate file '/etc/kamailio/certs/my_cert.crt' kamailio[3865480]: ERROR: tls [tls_util.h:49]: tls_err_ret(): load_cert:error:03000072:digital envelope routines::decode error (sni: unknown) kamailio[3865480]: ERROR: tls [tls_util.h:49]: tls_err_ret(): load_cert:error:0A00018F:SSL routines::ee key too small (sni: unknown)
Any advice ?
It's interesting that there are not any TLS errors in case I restart kamailio. I can make TLS calls without problems.
deb 12.5 version: kamailio 5.7.4 (x86_64/linux)
Similar was reported a while ago - [see the discussion and the conclusion](https://github.com/kamailio/kamailio/issues/3737#issuecomment-1924041295).
Thank you for the answer @miconda
I tried to fix in similar way and modified /etc/ssl/openssl.cnf like they did. [openssl_init] providers = provider_sect
[provider_sect] default = default_sect
But. As the result i see errors like this: systemctl restart kamailio systemctl status kamailio
kamailio[5569]: CRITICAL: <core> [core/pass_fd.c:281]: receive_fd(): EOF on 71 kamailio[5569]: CRITICAL: <core> [core/pass_fd.c:281]: receive_fd(): EOF on 55 kamailio[5569]: CRITICAL: <core> [core/pass_fd.c:281]: receive_fd(): EOF on 46
Kamailio begins to work again in case i rollback changes in openssl.cnf
Please advice
Thank you @miconda This workaround work good!
This issue is stale because it has been open 6 weeks with no activity. Remove stale label or comment or this will be closed in 2 weeks.
Closed #4033 as completed.
-
Daniel-Constantin Mierla -
github-actions[bot]
-
Henning Westerholt
-
ynasida