Hello all!
I'm trying to establish TLS connection but getting the following error. Can anyone point me in the right direction, please?
tls_dump_verification_failure(): verification failure: unable to get local issuer certificate
Kamailio version is 5.5.1. System runs on CentOS 7.
At the moment tls.cfg configuration file looks like this:
[server:default] method = TLSv1+ require_certificate = no verify_certificate = no private_key = /var/kamailio/certificates/default/server/key.pem certificate = /var/kamailio/certificates/default/server/cert.pem ca_list = /var/kamailio/certificates/default/CA/cert.pem
[client:default] method = TLSv1+ require_certificate = no verify_certificate = no private_key = /var/kamailio/certificates/default/server/key.pem certificate = /var/kamailio/certificates/default/server/cert.pem ca_list = /var/kamailio/certificates/default/CA/cert.pem
ca_list file contains root and intermediate certificates. Certificate was issued by Sectigo. It can be successfully verified with OpenSSL tool:
# openssl verify -verbose -CAfile /var/kamailio/certificates/default/CA/cert.pem /var/kamailio/certificates/default/server/cert.pem /var/kamailio/certificates/default/server/cert.pem: OK
Here is a fragment of Kamailio debug output:
May 5 06:51:03 server kamailio[3834]: 5(3844) DEBUG: <core> [core/tcp_main.c:1993]: tcp_send(): no open tcp connection found, opening new one May 5 06:51:03 server kamailio[3834]: 5(3844) DEBUG: <core> [core/ip_addr.c:577]: print_ip(): tcpconn_new: new tcp connection: 52.114.132.46 May 5 06:51:03 server kamailio[3834]: 5(3844) DEBUG: <core> [core/tcp_main.c:1175]: tcpconn_new(): on port 5061, type 3, socket -1 May 5 06:51:03 server kamailio[3834]: 5(3844) DEBUG: <core> [core/tcp_main.c:1498]: tcpconn_add(): hashes: 3678:784:0, 230 May 5 06:51:03 server kamailio[3834]: 5(3844) DEBUG: tls [tls_server.c:244]: tls_complete_init(): completing tls connection initialization May 5 06:51:03 server kamailio[3834]: 5(3844) DEBUG: tls [tls_server.c:207]: tls_get_connect_server_name(): xavp with outbound server name not found May 5 06:51:03 server kamailio[3834]: 5(3844) DEBUG: tls [tls_server.c:180]: tls_get_connect_server_id(): xavp with outbound server id not found May 5 06:51:03 server kamailio[3834]: 5(3844) DEBUG: tls [tls_server.c:187]: tls_get_connect_server_id(): outbound server id not set May 5 06:51:03 server kamailio[3834]: 5(3844) DEBUG: tls [tls_server.c:274]: tls_complete_init(): Using initial TLS domain TLSc<default> (dom 0x7f1cca178720 ctx 0x7f1cca29dbd0 sn []) May 5 06:51:03 server kamailio[3834]: 5(3844) DEBUG: tls [tls_domain.c:1208]: tls_lookup_private_key(): Private key lookup for SSL_CTX-0x7f1cca29dbd0: (nil) May 5 06:51:03 server kamailio[3834]: 5(3844) DEBUG: tls [tls_domain.c:778]: sr_ssl_ctx_info_callback(): SSL handshake started May 5 06:51:03 server kamailio[3834]: 5(3844) DEBUG: <core> [core/tcp_main.c:2888]: tcpconn_1st_send(): pending write on new connection 0x7f1cca41fe18 sock 11 (-1/517 bytes written) (err: 11 - Resource temporarily unavailable) May 5 06:51:03 server kamailio[3834]: 5(3844) DEBUG: tm [uac.c:686]: send_prepared_request_impl(): uac: 0x7f1cca40bd50 branch: 0 to 52.114.132.46:5061 May 5 06:51:03 server kamailio[3834]: 5(3844) DEBUG: <core> [core/onsend.c:50]: run_onsend(): required parameters are not available - ignoring May 5 06:51:03 server kamailio[3834]: 14(3853) DEBUG: <core> [core/tcp_main.c:3793]: handle_ser_child(): read response= 7f1cca41fe18, 5, fd 26 from 5 (3844) May 5 06:51:03 server kamailio[3834]: 14(3853) DEBUG: <core> [core/io_wait.h:375]: io_watch_add(): DBG: io_watch_add(0xae4760, 26, 2, 0x7f1cca41fe18), fd_no=20 May 5 06:51:03 server kamailio[3834]: 14(3853) DEBUG: <core> [core/io_wait.h:782]: io_watch_chg(): DBG: io_watch_chg (0xae4760, 26, 0x1, 0xffffffff) fd_no=21 called May 5 06:51:03 server kamailio[3834]: 14(3853) DEBUG: <core> [core/io_wait.h:782]: io_watch_chg(): DBG: io_watch_chg (0xae4760, 24, 0x1, 0xffffffff) fd_no=21 called May 5 06:51:03 server kamailio[3834]: 14(3853) DEBUG: <core> [core/io_wait.h:600]: io_watch_del(): DBG: io_watch_del (0xae4760, 26, -1, 0x0) fd_no=21 called May 5 06:51:03 server kamailio[3834]: 14(3853) DEBUG: <core> [core/tcp_main.c:4457]: handle_tcpconn_ev(): sending to child, events 1 May 5 06:51:03 server kamailio[3834]: 14(3853) DEBUG: <core> [core/tcp_main.c:4130]: send2child(): selected tcp worker idx:3 proc:13 pid:3852 for activity on [tls:X.X.X.X:5062], 0x7f1cca41fe18 May 5 06:51:03 server kamailio[3834]: 13(3852) DEBUG: <core> [core/tcp_read.c:1737]: handle_io(): received n=8 con=0x7f1cca41fe18, fd=6 May 5 06:51:03 server kamailio[3834]: 13(3852) DEBUG: tls [tls_domain.c:1208]: tls_lookup_private_key(): Private key lookup for SSL_CTX-0x7f1cca29dbd0: (nil) May 5 06:51:03 server kamailio[3834]: 14(3853) DEBUG: <core> [core/io_wait.h:782]: io_watch_chg(): DBG: io_watch_chg (0xae4760, 25, 0x1, 0xffffffff) fd_no=20 called May 5 06:51:03 server kamailio[3834]: 13(3852) DEBUG: <core> [core/tcp_main.c:2706]: tcpconn_do_send(): sending... May 5 06:51:03 server kamailio[3834]: 13(3852) DEBUG: <core> [core/tcp_main.c:2739]: tcpconn_do_send(): after real write: c= 0x7f1cca41fe18 n=5103 fd=6 May 5 06:51:03 server kamailio[3834]: 13(3852) DEBUG: <core> [core/tcp_main.c:2740]: tcpconn_do_send(): buf= May 5 06:51:03 server kamailio[3834]: ?
May 5 06:51:03 server kamailio[3834]: 13(3852) DEBUG: <core> [core/io_wait.h:375]: io_watch_add(): DBG: io_watch_add(0xb50560, 6, 2, 0x7f1cca41fe18), fd_no=1 May 5 06:51:04 server kamailio[3834]: 13(3852) DEBUG: tls [tls_domain.c:1208]: tls_lookup_private_key(): Private key lookup for SSL_CTX-0x7f1cca29dbd0: (nil) May 5 06:51:04 server kamailio[3834]: 13(3852) DEBUG: tls [tls_domain.c:790]: sr_ssl_ctx_info_callback(): SSL handshake done May 5 06:51:04 server kamailio[3834]: 13(3852) DEBUG: tls [tls_domain.c:794]: sr_ssl_ctx_info_callback(): SSL disable renegotiation May 5 06:51:04 server kamailio[3834]: 13(3852) DEBUG: tls [tls_server.c:542]: tls_connect(): TLS connect successful May 5 06:51:04 server kamailio[3834]: 13(3852) DEBUG: tls [tls_server.c:549]: tls_connect(): tls_connect: new connection to 52.114.132.46:5061 using TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384 256 May 5 06:51:04 server kamailio[3834]: 13(3852) DEBUG: tls [tls_server.c:552]: tls_connect(): tls_connect: sending socket: X.X.X.X:0 May 5 06:51:04 server kamailio[3834]: 13(3852) DEBUG: tls [tls_server.c:418]: tls_dump_cert_info(): tls_connect: server certificate subject:/CN=sip.pstnhub.microsoft.com May 5 06:51:04 server kamailio[3834]: 13(3852) DEBUG: tls [tls_server.c:422]: tls_dump_cert_info(): tls_connect: server certificate issuer:/C=US/O=Microsoft Corporation/CN=Microsoft RSA TLS CA 01 May 5 06:51:04 server kamailio[3834]: 13(3852) DEBUG: tls [tls_server.c:558]: tls_connect(): WARNING: tls_connect: server certificate verification failed!!! May 5 06:51:04 server kamailio[3834]: 13(3852) DEBUG: tls [tls_dump_vf.c:104]: tls_dump_verification_failure(): verification failure: unable to get local issuer certificate May 5 06:51:04 server kamailio[3834]: 13(3852) DEBUG: <core> [core/tcp_main.c:2706]: tcpconn_do_send(): sending... May 5 06:51:04 server kamailio[3834]: 13(3852) DEBUG: <core> [core/tcp_main.c:2739]: tcpconn_do_send(): after real write: c= 0x7f1cca41fe18 n=513 fd=6 May 5 06:51:04 server kamailio[3834]: 13(3852) DEBUG: <core> [core/tcp_main.c:2740]: tcpconn_do_send(): buf=
Thank you very much!
tls_dump_cert_info(): tls_connect: server certificate issuer:/C=US/O=Microsoft Corporation/CN=Microsoft RSA TLS CA 01
THis is not sectigo signed - is my guess. It’s the other sides cert that Kamailio can’t verify. You need to add that CA cert to the Kamailio CA store.
/O
On 5 May 2022, at 14:09, Володимир Іванець volodyaivanets@gmail.com wrote:
tls_dump_cert_info(): tls_connect: server certificate issuer:/C=US/O=Microsoft Corporation/CN=Microsoft RSA TLS CA 01
Hello Olle!
Thank you for the hint! I checked my test server where the connection was working before and now I see the same problem. Looks like Microsoft could update certificate on their side. Will try to find appropriate root and intermediate certificates.
Thanks a lot!
чт, 5 трав. 2022 р. о 17:52 Olle E. Johansson oej@edvina.net пише:
tls_dump_cert_info(): tls_connect: server certificate issuer:/C=US/O=Microsoft Corporation/CN=Microsoft RSA TLS CA 01
THis is not sectigo signed - is my guess. It’s the other sides cert that Kamailio can’t verify. You need to add that CA cert to the Kamailio CA store.
/O
On 5 May 2022, at 14:09, Володимир Іванець volodyaivanets@gmail.com wrote:
tls_dump_cert_info(): tls_connect: server certificate issuer:/C=US/O=Microsoft Corporation/CN=Microsoft RSA TLS CA 01
Kamailio - Users Mailing List - Non Commercial Discussions
- sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Hello all!
According tothe "SBC doesn’t trust SIP proxy certificate" section from https://docs.microsoft.com/en-us/microsoftteams/troubleshoot/phone-system/di... I had to download and add their certificates to the CA list. I did that but Kamailio still fails to verify MS certificate.
Did anyone faced this problem?
Thank you!
вт, 10 трав. 2022 р. о 17:17 Володимир Іванець volodyaivanets@gmail.com пише:
Hello Olle!
Thank you for the hint! I checked my test server where the connection was working before and now I see the same problem. Looks like Microsoft could update certificate on their side. Will try to find appropriate root and intermediate certificates.
Thanks a lot!
чт, 5 трав. 2022 р. о 17:52 Olle E. Johansson oej@edvina.net пише:
tls_dump_cert_info(): tls_connect: server certificate issuer:/C=US/O=Microsoft Corporation/CN=Microsoft RSA TLS CA 01
THis is not sectigo signed - is my guess. It’s the other sides cert that Kamailio can’t verify. You need to add that CA cert to the Kamailio CA store.
/O
On 5 May 2022, at 14:09, Володимир Іванець volodyaivanets@gmail.com wrote:
tls_dump_cert_info(): tls_connect: server certificate issuer:/C=US/O=Microsoft Corporation/CN=Microsoft RSA TLS CA 01
Kamailio - Users Mailing List - Non Commercial Discussions
- sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
In case someone will face the same problem, here is the the correct certificate to add to Kamailio CA list: https://baltimore-cybertrust-root.chain-demos.digicert.com/info/index.html
Thank you!
ср, 11 трав. 2022 р. о 16:55 Володимир Іванець volodyaivanets@gmail.com пише:
Hello all!
According tothe "SBC doesn’t trust SIP proxy certificate" section from https://docs.microsoft.com/en-us/microsoftteams/troubleshoot/phone-system/di... I had to download and add their certificates to the CA list. I did that but Kamailio still fails to verify MS certificate.
Did anyone faced this problem?
Thank you!
вт, 10 трав. 2022 р. о 17:17 Володимир Іванець volodyaivanets@gmail.com пише:
Hello Olle!
Thank you for the hint! I checked my test server where the connection was working before and now I see the same problem. Looks like Microsoft could update certificate on their side. Will try to find appropriate root and intermediate certificates.
Thanks a lot!
чт, 5 трав. 2022 р. о 17:52 Olle E. Johansson oej@edvina.net пише:
tls_dump_cert_info(): tls_connect: server certificate issuer:/C=US/O=Microsoft Corporation/CN=Microsoft RSA TLS CA 01
THis is not sectigo signed - is my guess. It’s the other sides cert that Kamailio can’t verify. You need to add that CA cert to the Kamailio CA store.
/O
On 5 May 2022, at 14:09, Володимир Іванець volodyaivanets@gmail.com wrote:
tls_dump_cert_info(): tls_connect: server certificate issuer:/C=US/O=Microsoft Corporation/CN=Microsoft RSA TLS CA 01
Kamailio - Users Mailing List - Non Commercial Discussions
- sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
-
Olle E. Johansson -
Володимир Іванець