Hello Kamailio Community,
I’ve been troubleshooting an issue with Kamailio where the TLS listener fails to bind to any specified ports (5061, 10061, etc.), despite valid configurations and certificates. Here’s a summary of my setup and steps taken:
1.
*Environment Details*: -
Kamailio version: 5.7.4 -
OpenSSL version: 3.0.13 -
Operating System: Ubuntu (Noble Release) -
TLS module (tls.so) is installed and loaded. 2.
*Issue Details*: -
Configurations validate successfully (config file ok). -
OpenSSL works perfectly when testing certificates and keys with s_server, binding to ports (5061 and others). -
Kamailio fails to bind TLS listeners (ss -tulnp shows no activity on the specified ports). 3.
*Steps Already Taken*: -
Simplified TLS configuration (minimal_tls.cfg) with: plaintext
listen=tls:10.14.202.39:5061 loadmodule "tls.so" modparam("tls", "certificate", "/home/localtech/vicissl/868a963bc33d5eae.crt") modparam("tls", "private_key", "/home/localtech/vicissl/private.key")
-
Tested multiple ports (5061, 10061, 15061). -
Checked firewall settings (iptables) and confirmed no restrictions. -
Rebuilt Kamailio from source and ensured TLS modules are linked to OpenSSL. -
Ran Kamailio with maximum debugging (-ddd) to examine logs—no binding-related errors appeared. 4.
*Log Excerpts*: (Attach relevant logs showing TLS initialization or lack of binding activity.) 5.
*Question*: What additional steps or configurations should I explore to resolve this issue? Could this be a compatibility problem between Kamailio 5.7.4 and OpenSSL 3.0.13?
Any guidance or insights would be greatly appreciated!
Best regards, Steven Muchwe Njoroge
Hi Steven
I have not observed that issue on any of my installs it always worked more or less out of the box (after some fiddling because initially Let's encrypts CA cert was missing in the system cert list). Replace path and ip addresses with whatever you use and make sure the permissions are right.
I use the full chain as certificate. Client mode with validation needs access to the root certs and needs to contain the CA which issued the remote certificate.
listen = tls:[x:x:x:x:x:x:x:x]:5061 listen = tls:x.x.x.x:5061
[server:default] method = TLSv1.2+ verify_certificate = no require_certificate = no private_key = /[letsencrypt-store]/[domain]/privkey.pem certificate = /[letsencrypt-store]/[domain]/fullchain.pem
[client:default] #method = TLSv1.2+ verify_certificate = yes require_certificate = yes private_key = /[letsencrypt-store]/[domain]/privkey.pem certificate = /[letsencrypt-store]/[domain]/fullchain.pem ca_list = /etc/ssl/certs/ca-certificates.crt
does netstat -anp (assuming linux) show port 5061 listening?
Mit freundlichen Grüssen
-Benoît Panizzon-
Can you provide the actual error when trying to bind? Increase debug
Regards,
David Villasmil
email: david.villasmil.work@gmail.com
On Mon, Apr 28, 2025 at 9:26 AM Benoit Panizzon via sr-users < sr-users@lists.kamailio.org> wrote:
Hi Steven
I have not observed that issue on any of my installs it always worked more or less out of the box (after some fiddling because initially Let's encrypts CA cert was missing in the system cert list). Replace path and ip addresses with whatever you use and make sure the permissions are right.
I use the full chain as certificate. Client mode with validation needs access to the root certs and needs to contain the CA which issued the remote certificate.
listen = tls:[x:x:x:x:x:x:x:x]:5061 listen = tls:x.x.x.x:5061
[server:default] method = TLSv1.2+ verify_certificate = no require_certificate = no private_key = /[letsencrypt-store]/[domain]/privkey.pem certificate = /[letsencrypt-store]/[domain]/fullchain.pem
[client:default] #method = TLSv1.2+ verify_certificate = yes require_certificate = yes private_key = /[letsencrypt-store]/[domain]/privkey.pem certificate = /[letsencrypt-store]/[domain]/fullchain.pem ca_list = /etc/ssl/certs/ca-certificates.crt
does netstat -anp (assuming linux) show port 5061 listening?
Mit freundlichen Grüssen
-Benoît Panizzon-
I m p r o W a r e A G - Leiter Commerce Kunden ______________________________________________________
Zurlindenstrasse 29 https://www.google.com/maps/search/Zurlindenstrasse+29?entry=gmail&source=g Tel +41 61 826 93 00 CH-4133 Pratteln Fax +41 61 826 93 01 Schweiz Web http://www.imp.ch ______________________________________________________ __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions -- sr-users@lists.kamailio.org To unsubscribe send an email to sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender!
Hello, David,
managed to get the bind to work,but am struggling with proto_ws.so WebSocket config
do we have a forum where i can join
Regards, Steve
On Mon, Apr 28, 2025 at 11:34 PM David Villasmil < david.villasmil.work@gmail.com> wrote:
Can you provide the actual error when trying to bind? Increase debug
Regards,
David Villasmil
email: david.villasmil.work@gmail.com
On Mon, Apr 28, 2025 at 9:26 AM Benoit Panizzon via sr-users < sr-users@lists.kamailio.org> wrote:
Hi Steven
I have not observed that issue on any of my installs it always worked more or less out of the box (after some fiddling because initially Let's encrypts CA cert was missing in the system cert list). Replace path and ip addresses with whatever you use and make sure the permissions are right.
I use the full chain as certificate. Client mode with validation needs access to the root certs and needs to contain the CA which issued the remote certificate.
listen = tls:[x:x:x:x:x:x:x:x]:5061 listen = tls:x.x.x.x:5061
[server:default] method = TLSv1.2+ verify_certificate = no require_certificate = no private_key = /[letsencrypt-store]/[domain]/privkey.pem certificate = /[letsencrypt-store]/[domain]/fullchain.pem
[client:default] #method = TLSv1.2+ verify_certificate = yes require_certificate = yes private_key = /[letsencrypt-store]/[domain]/privkey.pem certificate = /[letsencrypt-store]/[domain]/fullchain.pem ca_list = /etc/ssl/certs/ca-certificates.crt
does netstat -anp (assuming linux) show port 5061 listening?
Mit freundlichen Grüssen
-Benoît Panizzon-
I m p r o W a r e A G - Leiter Commerce Kunden ______________________________________________________
Zurlindenstrasse 29 https://www.google.com/maps/search/Zurlindenstrasse+29?entry=gmail&source=g Tel +41 61 826 93 00 CH-4133 Pratteln Fax +41 61 826 93 01 Schweiz Web http://www.imp.ch ______________________________________________________ __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions -- sr-users@lists.kamailio.org To unsubscribe send an email to sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender!
There’s a slack workspace, lots of people there
Regards,
David Villasmil email: david.villasmil.work@gmail.com
On Tue, Apr 29, 2025 at 3:08 PM steven.muchwe stevenmuchwe@gmail.com wrote:
Hello, David,
managed to get the bind to work,but am struggling with proto_ws.so WebSocket config
do we have a forum where i can join
Regards, Steve
On Mon, Apr 28, 2025 at 11:34 PM David Villasmil < david.villasmil.work@gmail.com> wrote:
Can you provide the actual error when trying to bind? Increase debug
Regards,
David Villasmil
email: david.villasmil.work@gmail.com
On Mon, Apr 28, 2025 at 9:26 AM Benoit Panizzon via sr-users < sr-users@lists.kamailio.org> wrote:
Hi Steven
I have not observed that issue on any of my installs it always worked more or less out of the box (after some fiddling because initially Let's encrypts CA cert was missing in the system cert list). Replace path and ip addresses with whatever you use and make sure the permissions are right.
I use the full chain as certificate. Client mode with validation needs access to the root certs and needs to contain the CA which issued the remote certificate.
listen = tls:[x:x:x:x:x:x:x:x]:5061 listen = tls:x.x.x.x:5061
[server:default] method = TLSv1.2+ verify_certificate = no require_certificate = no private_key = /[letsencrypt-store]/[domain]/privkey.pem certificate = /[letsencrypt-store]/[domain]/fullchain.pem
[client:default] #method = TLSv1.2+ verify_certificate = yes require_certificate = yes private_key = /[letsencrypt-store]/[domain]/privkey.pem certificate = /[letsencrypt-store]/[domain]/fullchain.pem ca_list = /etc/ssl/certs/ca-certificates.crt
does netstat -anp (assuming linux) show port 5061 listening?
Mit freundlichen Grüssen
-Benoît Panizzon-
I m p r o W a r e A G - Leiter Commerce Kunden ______________________________________________________
Zurlindenstrasse 29 https://www.google.com/maps/search/Zurlindenstrasse+29?entry=gmail&source=g Tel +41 61 826 93 00 CH-4133 Pratteln Fax +41 61 826 93 01 Schweiz Web http://www.imp.ch ______________________________________________________ __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions -- sr-users@lists.kamailio.org To unsubscribe send an email to sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender!
We do have a dedicated matrix node:
https://matrix.to/#/#kamailio:matrix.kamailio.dev https://matrix.to/#/%23kamailio:matrix.kamailio.dev
It’s fairly active and also friendly.
Fred Posner Tel: +1 (352) 664-3733 Alt: +1 (224) 334-3733
Contact info at https://fredp.xyz
On Apr 29, 2025, at 9:57 AM, David Villasmil via sr-users sr-users@lists.kamailio.org wrote:
There’s a slack workspace, lots of people there
Regards,
David Villasmil email: david.villasmil.work@gmail.com
On Tue, Apr 29, 2025 at 3:08 PM steven.muchwe stevenmuchwe@gmail.com wrote: Hello, David,
managed to get the bind to work,but am struggling with proto_ws.so WebSocket config
do we have a forum where i can join
Regards, Steve
On Mon, Apr 28, 2025 at 11:34 PM David Villasmil david.villasmil.work@gmail.com wrote: Can you provide the actual error when trying to bind? Increase debug
Regards,
David Villasmil
email: david.villasmil.work@gmail.com
On Mon, Apr 28, 2025 at 9:26 AM Benoit Panizzon via sr-users sr-users@lists.kamailio.org wrote: Hi Steven
I have not observed that issue on any of my installs it always worked more or less out of the box (after some fiddling because initially Let's encrypts CA cert was missing in the system cert list). Replace path and ip addresses with whatever you use and make sure the permissions are right.
I use the full chain as certificate. Client mode with validation needs access to the root certs and needs to contain the CA which issued the remote certificate.
listen = tls:[x:x:x:x:x:x:x:x]:5061 listen = tls:x.x.x.x:5061
[server:default] method = TLSv1.2+ verify_certificate = no require_certificate = no private_key = /[letsencrypt-store]/[domain]/privkey.pem certificate = /[letsencrypt-store]/[domain]/fullchain.pem
[client:default] #method = TLSv1.2+ verify_certificate = yes require_certificate = yes private_key = /[letsencrypt-store]/[domain]/privkey.pem certificate = /[letsencrypt-store]/[domain]/fullchain.pem ca_list = /etc/ssl/certs/ca-certificates.crt
does netstat -anp (assuming linux) show port 5061 listening?
Mit freundlichen Grüssen
-Benoît Panizzon-
I m p r o W a r e A G - Leiter Commerce Kunden ______________________________________________________
Zurlindenstrasse 29 Tel +41 61 826 93 00 CH-4133 Pratteln Fax +41 61 826 93 01 Schweiz Web http://www.imp.ch ______________________________________________________ __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions -- sr-users@lists.kamailio.org To unsubscribe send an email to sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions -- sr-users@lists.kamailio.org To unsubscribe send an email to sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender!
Awesome, thanks for the info!
On Tue, Apr 29, 2025 at 5:11 PM Fred Posner fred@pgpx.io wrote:
We do have a dedicated matrix node:
https://matrix.to/#/#kamailio:matrix.kamailio.dev < https://matrix.to/#/%23kamailio:matrix.kamailio.dev%3E
It’s fairly active and also friendly.
Fred Posner Tel: +1 (352) 664-3733 Alt: +1 (224) 334-3733
Contact info at https://fredp.xyz
On Apr 29, 2025, at 9:57 AM, David Villasmil via sr-users <
sr-users@lists.kamailio.org> wrote:
There’s a slack workspace, lots of people there
Regards,
David Villasmil email: david.villasmil.work@gmail.com
On Tue, Apr 29, 2025 at 3:08 PM steven.muchwe stevenmuchwe@gmail.com
wrote:
Hello, David,
managed to get the bind to work,but am struggling with proto_ws.so
WebSocket config
do we have a forum where i can join
Regards, Steve
On Mon, Apr 28, 2025 at 11:34 PM David Villasmil <
david.villasmil.work@gmail.com> wrote:
Can you provide the actual error when trying to bind? Increase debug
Regards,
David Villasmil
email: david.villasmil.work@gmail.com
On Mon, Apr 28, 2025 at 9:26 AM Benoit Panizzon via sr-users <
sr-users@lists.kamailio.org> wrote:
Hi Steven
I have not observed that issue on any of my installs it always worked more or less out of the box (after some fiddling because initially Let's encrypts CA cert was missing in the system cert list). Replace path and ip addresses with whatever you use and make sure the permissions are right.
I use the full chain as certificate. Client mode with validation needs access to the root certs and needs to contain the CA which issued the remote certificate.
listen = tls:[x:x:x:x:x:x:x:x]:5061 listen = tls:x.x.x.x:5061
[server:default] method = TLSv1.2+ verify_certificate = no require_certificate = no private_key = /[letsencrypt-store]/[domain]/privkey.pem certificate = /[letsencrypt-store]/[domain]/fullchain.pem
[client:default] #method = TLSv1.2+ verify_certificate = yes require_certificate = yes private_key = /[letsencrypt-store]/[domain]/privkey.pem certificate = /[letsencrypt-store]/[domain]/fullchain.pem ca_list = /etc/ssl/certs/ca-certificates.crt
does netstat -anp (assuming linux) show port 5061 listening?
Mit freundlichen Grüssen
-Benoît Panizzon-
I m p r o W a r e A G - Leiter Commerce Kunden ______________________________________________________
Zurlindenstrasse 29 Tel +41 61 826 93 00 CH-4133 Pratteln Fax +41 61 826 93 01 Schweiz Web http://www.imp.ch ______________________________________________________ __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions --
sr-users@lists.kamailio.org
To unsubscribe send an email to sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to
the sender!
Kamailio - Users Mailing List - Non Commercial Discussions --
sr-users@lists.kamailio.org
To unsubscribe send an email to sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to
the sender!
https://slack.com/help/articles/212675257-Join-a-Slack-workspace
Regards,
David Villasmil email: david.villasmil.work@gmail.com
On Tue, Apr 29, 2025 at 4:15 PM steven.muchwe stevenmuchwe@gmail.com wrote:
Awesome, thanks for the info!
On Tue, Apr 29, 2025 at 5:11 PM Fred Posner fred@pgpx.io wrote:
We do have a dedicated matrix node:
https://matrix.to/#/#kamailio:matrix.kamailio.dev < https://matrix.to/#/%23kamailio:matrix.kamailio.dev%3E
It’s fairly active and also friendly.
Fred Posner Tel: +1 (352) 664-3733 Alt: +1 (224) 334-3733
Contact info at https://fredp.xyz
On Apr 29, 2025, at 9:57 AM, David Villasmil via sr-users <
sr-users@lists.kamailio.org> wrote:
There’s a slack workspace, lots of people there
Regards,
David Villasmil email: david.villasmil.work@gmail.com
On Tue, Apr 29, 2025 at 3:08 PM steven.muchwe stevenmuchwe@gmail.com
wrote:
Hello, David,
managed to get the bind to work,but am struggling with proto_ws.so
WebSocket config
do we have a forum where i can join
Regards, Steve
On Mon, Apr 28, 2025 at 11:34 PM David Villasmil <
david.villasmil.work@gmail.com> wrote:
Can you provide the actual error when trying to bind? Increase debug
Regards,
David Villasmil
email: david.villasmil.work@gmail.com
On Mon, Apr 28, 2025 at 9:26 AM Benoit Panizzon via sr-users <
sr-users@lists.kamailio.org> wrote:
Hi Steven
I have not observed that issue on any of my installs it always worked more or less out of the box (after some fiddling because initially Let's encrypts CA cert was missing in the system cert list). Replace path and ip addresses with whatever you use and make sure the permissions are right.
I use the full chain as certificate. Client mode with validation needs access to the root certs and needs to contain the CA which issued the remote certificate.
listen = tls:[x:x:x:x:x:x:x:x]:5061 listen = tls:x.x.x.x:5061
[server:default] method = TLSv1.2+ verify_certificate = no require_certificate = no private_key = /[letsencrypt-store]/[domain]/privkey.pem certificate = /[letsencrypt-store]/[domain]/fullchain.pem
[client:default] #method = TLSv1.2+ verify_certificate = yes require_certificate = yes private_key = /[letsencrypt-store]/[domain]/privkey.pem certificate = /[letsencrypt-store]/[domain]/fullchain.pem ca_list = /etc/ssl/certs/ca-certificates.crt
does netstat -anp (assuming linux) show port 5061 listening?
Mit freundlichen Grüssen
-Benoît Panizzon-
I m p r o W a r e A G - Leiter Commerce Kunden ______________________________________________________
Zurlindenstrasse 29 Tel +41 61 826 93 00 CH-4133 Pratteln Fax +41 61 826 93 01 Schweiz Web http://www.imp.ch ______________________________________________________ __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions --
sr-users@lists.kamailio.org
To unsubscribe send an email to sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only
to the sender!
Kamailio - Users Mailing List - Non Commercial Discussions --
sr-users@lists.kamailio.org
To unsubscribe send an email to sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only
to the sender!
what do i need to join
On Tue, Apr 29, 2025 at 4:57 PM David Villasmil < david.villasmil.work@gmail.com> wrote:
There’s a slack workspace, lots of people there
Regards,
David Villasmil email: david.villasmil.work@gmail.com
On Tue, Apr 29, 2025 at 3:08 PM steven.muchwe stevenmuchwe@gmail.com wrote:
Hello, David,
managed to get the bind to work,but am struggling with proto_ws.so WebSocket config
do we have a forum where i can join
Regards, Steve
On Mon, Apr 28, 2025 at 11:34 PM David Villasmil < david.villasmil.work@gmail.com> wrote:
Can you provide the actual error when trying to bind? Increase debug
Regards,
David Villasmil
email: david.villasmil.work@gmail.com
On Mon, Apr 28, 2025 at 9:26 AM Benoit Panizzon via sr-users < sr-users@lists.kamailio.org> wrote:
Hi Steven
I have not observed that issue on any of my installs it always worked more or less out of the box (after some fiddling because initially Let's encrypts CA cert was missing in the system cert list). Replace path and ip addresses with whatever you use and make sure the permissions are right.
I use the full chain as certificate. Client mode with validation needs access to the root certs and needs to contain the CA which issued the remote certificate.
listen = tls:[x:x:x:x:x:x:x:x]:5061 listen = tls:x.x.x.x:5061
[server:default] method = TLSv1.2+ verify_certificate = no require_certificate = no private_key = /[letsencrypt-store]/[domain]/privkey.pem certificate = /[letsencrypt-store]/[domain]/fullchain.pem
[client:default] #method = TLSv1.2+ verify_certificate = yes require_certificate = yes private_key = /[letsencrypt-store]/[domain]/privkey.pem certificate = /[letsencrypt-store]/[domain]/fullchain.pem ca_list = /etc/ssl/certs/ca-certificates.crt
does netstat -anp (assuming linux) show port 5061 listening?
Mit freundlichen Grüssen
-Benoît Panizzon-
I m p r o W a r e A G - Leiter Commerce Kunden ______________________________________________________
Zurlindenstrasse 29 https://www.google.com/maps/search/Zurlindenstrasse+29?entry=gmail&source=g Tel +41 61 826 93 00 CH-4133 Pratteln Fax +41 61 826 93 01 Schweiz Web http://www.imp.ch ______________________________________________________ __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions -- sr-users@lists.kamailio.org To unsubscribe send an email to sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender!
-
Benoit Panizzon -
David Villasmil -
Fred Posner -
steven.muchwe