21 Nov
2024
21 Nov
'24
8:42 p.m.
Make sure you are using a config FILE for the TLS-config, and not setting
the params directly in the KAMAILIO-CONFIG-FILE.
Specifically this:
$ cat tls.cfg
#
# Kamailio TLS Configuration File
#
# This is the default server domain, settings
# in this domain will be used for all incoming
# connections that do not match any other server
# domain in this configuration file.
#
[server:default]
method = TLSv1+
private_key = ...
certificate = ...
ca_list = ...
...
...
And then in kamailio.cfg:
modparam("tls", "config", "/etc/kamailio/tls.cfg")
Then you should be able to do `tls.reload` ...
Do no set the certificate config inside the kamailio.cfg config, that's the
bottom line.
Joel.
On Wed, Nov 20, 2024 at 11:47 AM Sergiu Pojoga via sr-users <
sr-users(a)lists.kamailio.org> wrote:
Looks like a cert file permissions issue.
On Wed, Nov 20, 2024 at 1:35 PM Yuriy Nasida via sr-users <
sr-users(a)lists.kamailio.org> wrote:
Hello,
I am using letsencrypt cert and key and do not want to restart kamailio
every 3 months to load new ones.
I know that there is: kamcmd tls.reload method but it has an error for
me.
error: 500 - Error while fixing TLS configuration (consult server log)
I am checking the logs and see:
kamailio[3865480]: INFO: tls [tls_domain.c:345]: ksr_tls_fill_missing():
TLSs<default>: tls_method=3
kamailio[3865480]: INFO: tls [tls_domain.c:357]: ksr_tls_fill_missing():
TLSs<default>: certificate='/etc/kamailio/certs/my_cert.crt'
kamailio[3865480]: INFO: tls [tls_domain.c:364]: ksr_tls_fill_missing():
TLSs<default>: ca_list='(null)'
kamailio[3865480]: INFO: tls [tls_domain.c:371]: ksr_tls_fill_missing():
TLSs<default>: ca_path='(null)'
kamailio[3865480]: INFO: tls [tls_domain.c:378]: ksr_tls_fill_missing():
TLSs<default>: crl='(null)'
kamailio[3865480]: INFO: tls [tls_domain.c:382]: ksr_tls_fill_missing():
TLSs<default>: require_certificate=0
kamailio[3865480]: INFO: tls [tls_domain.c:390]: ksr_tls_fill_missing():
TLSs<default>: cipher_list='(null)'
kamailio[3865480]: INFO: tls [tls_domain.c:397]: ksr_tls_fill_missing():
TLSs<default>: private_key='/etc/kamailio/certs/private.key'
kamailio[3865480]: INFO: tls [tls_domain.c:401]: ksr_tls_fill_missing():
TLSs<default>: verify_certificate=0
kamailio[3865480]: INFO: tls [tls_domain.c:406]: ksr_tls_fill_missing():
TLSs<default>: verify_depth=9
kamailio[3865480]: INFO: tls [tls_domain.c:410]: ksr_tls_fill_missing():
TLSs<default>: verify_client=0
kamailio[3865480]: NOTICE: tls [tls_domain.c:1168]: ksr_tls_fix_domain():
registered server_name callback handler for socket [:0],
server_name='<default>' ...
kamailio[3865480]: ERROR: tls [tls_domain.c:590]: load_cert():
TLSs<default>: Unable to load certificate file
'/etc/kamailio/certs/my_cert.crt'
kamailio[3865480]: ERROR: tls [tls_util.h:49]: tls_err_ret():
load_cert:error:03000072:digital envelope routines::decode error (sni:
unknown)
kamailio[3865480]: ERROR: tls [tls_util.h:49]: tls_err_ret():
load_cert:error:0A00018F:SSL routines::ee key too small (sni: unknown)
Any advice ?
It's interesting that there are not any errors in case I restart
kamailio. I can make TLS calls without problems.
deb 12.5
version: kamailio 5.7.4 (x86_64/linux)
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions --
sr-users(a)lists.kamailio.org
To unsubscribe send an email to sr-users-leave(a)lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to
the sender!
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions --
sr-users(a)lists.kamailio.org
To unsubscribe send an email to sr-users-leave(a)lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to
the sender!