Hello all!
I'm trying to establish TLS connection but getting the following error. Can
anyone point me in the right direction, please?
tls_dump_verification_failure(): verification failure: unable to get local
issuer certificate
Kamailio version is 5.5.1. System runs on CentOS 7.
At the moment tls.cfg configuration file looks like this:
[server:default]
method = TLSv1+
require_certificate = no
verify_certificate = no
private_key = /var/kamailio/certificates/default/server/key.pem
certificate = /var/kamailio/certificates/default/server/cert.pem
ca_list = /var/kamailio/certificates/default/CA/cert.pem
[client:default]
method = TLSv1+
require_certificate = no
verify_certificate = no
private_key = /var/kamailio/certificates/default/server/key.pem
certificate = /var/kamailio/certificates/default/server/cert.pem
ca_list = /var/kamailio/certificates/default/CA/cert.pem
ca_list file contains root and intermediate certificates. Certificate was
issued by Sectigo. It can be successfully verified with OpenSSL tool:
# openssl verify -verbose -CAfile
/var/kamailio/certificates/default/CA/cert.pem
/var/kamailio/certificates/default/server/cert.pem
/var/kamailio/certificates/default/server/cert.pem: OK
Here is a fragment of Kamailio debug output:
May 5 06:51:03 server kamailio[3834]: 5(3844) DEBUG: <core>
[core/tcp_main.c:1993]: tcp_send(): no open tcp connection found, opening
new one
May 5 06:51:03 server kamailio[3834]: 5(3844) DEBUG: <core>
[core/ip_addr.c:577]: print_ip(): tcpconn_new: new tcp connection:
52.114.132.46
May 5 06:51:03 server kamailio[3834]: 5(3844) DEBUG: <core>
[core/tcp_main.c:1175]: tcpconn_new(): on port 5061, type 3, socket -1
May 5 06:51:03 server kamailio[3834]: 5(3844) DEBUG: <core>
[core/tcp_main.c:1498]: tcpconn_add(): hashes: 3678:784:0, 230
May 5 06:51:03 server kamailio[3834]: 5(3844) DEBUG: tls
[tls_server.c:244]: tls_complete_init(): completing tls connection
initialization
May 5 06:51:03 server kamailio[3834]: 5(3844) DEBUG: tls
[tls_server.c:207]: tls_get_connect_server_name(): xavp with outbound
server name not found
May 5 06:51:03 server kamailio[3834]: 5(3844) DEBUG: tls
[tls_server.c:180]: tls_get_connect_server_id(): xavp with outbound server
id not found
May 5 06:51:03 server kamailio[3834]: 5(3844) DEBUG: tls
[tls_server.c:187]: tls_get_connect_server_id(): outbound server id not set
May 5 06:51:03 server kamailio[3834]: 5(3844) DEBUG: tls
[tls_server.c:274]: tls_complete_init(): Using initial TLS domain
TLSc<default> (dom 0x7f1cca178720 ctx 0x7f1cca29dbd0 sn [])
May 5 06:51:03 server kamailio[3834]: 5(3844) DEBUG: tls
[tls_domain.c:1208]: tls_lookup_private_key(): Private key lookup for
SSL_CTX-0x7f1cca29dbd0: (nil)
May 5 06:51:03 server kamailio[3834]: 5(3844) DEBUG: tls
[tls_domain.c:778]: sr_ssl_ctx_info_callback(): SSL handshake started
May 5 06:51:03 server kamailio[3834]: 5(3844) DEBUG: <core>
[core/tcp_main.c:2888]: tcpconn_1st_send(): pending write on new connection
0x7f1cca41fe18 sock 11 (-1/517 bytes written) (err: 11 - Resource
temporarily unavailable)
May 5 06:51:03 server kamailio[3834]: 5(3844) DEBUG: tm [uac.c:686]:
send_prepared_request_impl(): uac: 0x7f1cca40bd50 branch: 0 to
52.114.132.46:5061
May 5 06:51:03 server kamailio[3834]: 5(3844) DEBUG: <core>
[core/onsend.c:50]: run_onsend(): required parameters are not available -
ignoring
May 5 06:51:03 server kamailio[3834]: 14(3853) DEBUG: <core>
[core/tcp_main.c:3793]: handle_ser_child(): read response= 7f1cca41fe18, 5,
fd 26 from 5 (3844)
May 5 06:51:03 server kamailio[3834]: 14(3853) DEBUG: <core>
[core/io_wait.h:375]: io_watch_add(): DBG: io_watch_add(0xae4760, 26, 2,
0x7f1cca41fe18), fd_no=20
May 5 06:51:03 server kamailio[3834]: 14(3853) DEBUG: <core>
[core/io_wait.h:782]: io_watch_chg(): DBG: io_watch_chg (0xae4760, 26, 0x1,
0xffffffff) fd_no=21 called
May 5 06:51:03 server kamailio[3834]: 14(3853) DEBUG: <core>
[core/io_wait.h:782]: io_watch_chg(): DBG: io_watch_chg (0xae4760, 24, 0x1,
0xffffffff) fd_no=21 called
May 5 06:51:03 server kamailio[3834]: 14(3853) DEBUG: <core>
[core/io_wait.h:600]: io_watch_del(): DBG: io_watch_del (0xae4760, 26, -1,
0x0) fd_no=21 called
May 5 06:51:03 server kamailio[3834]: 14(3853) DEBUG: <core>
[core/tcp_main.c:4457]: handle_tcpconn_ev(): sending to child, events 1
May 5 06:51:03 server kamailio[3834]: 14(3853) DEBUG: <core>
[core/tcp_main.c:4130]: send2child(): selected tcp worker idx:3 proc:13
pid:3852 for activity on [tls:X.X.X.X:5062], 0x7f1cca41fe18
May 5 06:51:03 server kamailio[3834]: 13(3852) DEBUG: <core>
[core/tcp_read.c:1737]: handle_io(): received n=8 con=0x7f1cca41fe18, fd=6
May 5 06:51:03 server kamailio[3834]: 13(3852) DEBUG: tls
[tls_domain.c:1208]: tls_lookup_private_key(): Private key lookup for
SSL_CTX-0x7f1cca29dbd0: (nil)
May 5 06:51:03 server kamailio[3834]: 14(3853) DEBUG: <core>
[core/io_wait.h:782]: io_watch_chg(): DBG: io_watch_chg (0xae4760, 25, 0x1,
0xffffffff) fd_no=20 called
May 5 06:51:03 server kamailio[3834]: 13(3852) DEBUG: <core>
[core/tcp_main.c:2706]: tcpconn_do_send(): sending...
May 5 06:51:03 server kamailio[3834]: 13(3852) DEBUG: <core>
[core/tcp_main.c:2739]: tcpconn_do_send(): after real write: c=
0x7f1cca41fe18 n=5103 fd=6
May 5 06:51:03 server kamailio[3834]: 13(3852) DEBUG: <core>
[core/tcp_main.c:2740]: tcpconn_do_send(): buf=
May 5 06:51:03 server kamailio[3834]: ?
May 5 06:51:03 server kamailio[3834]: 13(3852) DEBUG: <core>
[core/io_wait.h:375]: io_watch_add(): DBG: io_watch_add(0xb50560, 6, 2,
0x7f1cca41fe18), fd_no=1
May 5 06:51:04 server kamailio[3834]: 13(3852) DEBUG: tls
[tls_domain.c:1208]: tls_lookup_private_key(): Private key lookup for
SSL_CTX-0x7f1cca29dbd0: (nil)
May 5 06:51:04 server kamailio[3834]: 13(3852) DEBUG: tls
[tls_domain.c:790]: sr_ssl_ctx_info_callback(): SSL handshake done
May 5 06:51:04 server kamailio[3834]: 13(3852) DEBUG: tls
[tls_domain.c:794]: sr_ssl_ctx_info_callback(): SSL disable renegotiation
May 5 06:51:04 server kamailio[3834]: 13(3852) DEBUG: tls
[tls_server.c:542]: tls_connect(): TLS connect successful
May 5 06:51:04 server kamailio[3834]: 13(3852) DEBUG: tls
[tls_server.c:549]: tls_connect(): tls_connect: new connection to
52.114.132.46:5061 using TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384 256
May 5 06:51:04 server kamailio[3834]: 13(3852) DEBUG: tls
[tls_server.c:552]: tls_connect(): tls_connect: sending socket: X.X.X.X:0
May 5 06:51:04 server kamailio[3834]: 13(3852) DEBUG: tls
[tls_server.c:418]: tls_dump_cert_info(): tls_connect: server certificate
subject:/CN=sip.pstnhub.microsoft.com
May 5 06:51:04 server kamailio[3834]: 13(3852) DEBUG: tls
[tls_server.c:422]: tls_dump_cert_info(): tls_connect: server certificate
issuer:/C=US/O=Microsoft Corporation/CN=Microsoft RSA TLS CA 01
May 5 06:51:04 server kamailio[3834]: 13(3852) DEBUG: tls
[tls_server.c:558]: tls_connect(): WARNING: tls_connect: server certificate
verification failed!!!
May 5 06:51:04 server kamailio[3834]: 13(3852) DEBUG: tls
[tls_dump_vf.c:104]: tls_dump_verification_failure(): verification failure:
unable to get local issuer certificate
May 5 06:51:04 server kamailio[3834]: 13(3852) DEBUG: <core>
[core/tcp_main.c:2706]: tcpconn_do_send(): sending...
May 5 06:51:04 server kamailio[3834]: 13(3852) DEBUG: <core>
[core/tcp_main.c:2739]: tcpconn_do_send(): after real write: c=
0x7f1cca41fe18 n=513 fd=6
May 5 06:51:04 server kamailio[3834]: 13(3852) DEBUG: <core>
[core/tcp_main.c:2740]: tcpconn_do_send(): buf=
Thank you very much!