Re: [OpenSIPS-Users] TLS Error
Dear Bogdan-Andrei Iancu, Thank you for the reply. In fact I re-do the CA generation by following the Opensips TLS setting document (https://opensips.org/html/docs/tutorials/tls-1.4.x). From the request.conf I confirm that “default_md” is set to “sha1”. After I recopy the tls folder to the location /etc/opensips/tls and restart opensips service, it still shows the error message. As for the log message, I like to check with you, if the previous three tls_mgm notice which tell some strange message that create such problem? Regards Wilson Wang May 26 11:49:23 wilson-VirtualBox /usr/local/opensips/sbin/opensips[5103]: NOTICE:tls_mgm:init_tls_dom: No EC curve defined May 26 11:49:23 wilson-VirtualBox /usr/local/opensips/sbin/opensips[5103]: INFO:tls_mgm:get_ssl_ctx_verify_mode: client verification activated. Client certificates are NOT mandatory. May 26 11:49:23 wilson-VirtualBox /usr/local/opensips/sbin/opensips[5103]: NOTICE:tls_mgm:init_tls_dom: no CA dir for tls 'default' defined, using default '/etc/pki/CA/' May 26 11:49:23 wilson-VirtualBox /usr/local/opensips/sbin/opensips[5103]: NOTICE:tls_mgm:init_tls_dom: no crl for tls, using none May 26 11:49:23 wilson-VirtualBox /usr/local/opensips/sbin/opensips[5103]: ERROR:tls_mgm:tls_print_errstack: TLS errstack: error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak May 26 11:49:23 wilson-VirtualBox /usr/local/opensips/sbin/opensips[5103]: ERROR:tls_mgm:load_certificate: unable to load certificate file '/etc/opensips/tls/user/user-cert.pem' May 26 11:49:23 wilson-VirtualBox /usr/local/opensips/sbin/opensips[5103]: ERROR:tls_mgm:init_tls_domains: Failed to init TLS domain 'default' May 26 11:49:23 wilson-VirtualBox /usr/local/opensips/sbin/opensips[5103]: ERROR:core:init_mod: failed to initialize module tls_mgm ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Re: [OpenSIPS-Users] TLS Error
Hi Wang, A quick googling shows that the problem is with your certificate, being md5 signed - and this is considered a week signature. Check this https://stackoverflow.com/questions/52218876/how-to-fix-ssl-issue-ssl-ctx-use-certificate-ca-md-too-weak-on-python-zeep Regards, Bogdan-Andrei Iancu OpenSIPS Founder and Developer https://www.opensips-solutions.com OpenSIPS Summit 27-30 Sept 2022, Athens https://www.opensips.org/events/Summit-2022Athens/ On 5/23/22 5:40 AM, Wang Wilson wrote: This is my folder user rights status, and I am running Opensips3.1 under root userprivilege. root@wilson-VirtualBox:/etc/opensips/tls/user# ls -lrth /etc/opensips/tls/user total 20K -rw--- 1 root root 1.7K 5月 23 10:34 user-privkey.pem -rw-r--r-- 1 root root 1.1K 5月 23 10:34 user-cert_req.pem -rw-r--r-- 1 root root 4.2K 5月 23 10:34 user-cert.pem -rw-r--r-- 1 root root 1.3K 5月 23 10:34 user-calist.pem root@wilson-VirtualBox:/etc/opensips/tls/user# Can you tell if there is anything need to pay attention? Regards Wilson *From:* Users on behalf of ideanet help *Sent:* Monday, May 23, 2022 6:53:41 AM *To:* OpenSIPS users mailling list *Subject:* Re: [OpenSIPS-Users] TLS Error Hi Wang, Can you check the user rights of that directory? ls -lrth /etc/opensips/tls/user On Mon, May 23, 2022 at 3:10 AM Wang Wilson <mailto:w...@hotmail.com>> wrote: Hello, I am sending this to follow the issue that was reported on /Sep 17 13:13:06 EST 2020./ My problem is that I get the same error message, but the path to /etc/opensips/tls/user/user-cert.pem is correct and it is not symlink file. I just start to explore the TLS method for us to support SIP service. What could be the reason for this? Thanks in advance. Regards Wilson -- INFO:core:mod_init: initializing TCP-plain protocol May 22 22:32:45 wilson-VirtualBox /usr/local/opensips/sbin/opensips[7437]: INFO:tls_mgm:mod_init: initializing TLS management May 22 22:32:45 wilson-VirtualBox /usr/local/opensips/sbin/opensips[7437]: INFO:tls_mgm:mod_init: disabling compression due ZLIB problems May 22 22:32:45 wilson-VirtualBox /usr/local/opensips/sbin/opensips[7437]: INFO:tls_mgm:init_tls_dom: Processing TLS domain 'default' May 22 22:32:45 wilson-VirtualBox /usr/local/opensips/sbin/opensips[7437]: NOTICE:tls_mgm:init_tls_dom: No EC curve defined May 22 22:32:45 wilson-VirtualBox /usr/local/opensips/sbin/opensips[7437]: INFO:tls_mgm:get_ssl_ctx_verify_mode: client verification activated. Client certificates are NOT mandatory. May 22 22:32:45 wilson-VirtualBox /usr/local/opensips/sbin/opensips[7437]: NOTICE:tls_mgm:init_tls_dom: no CA dir for tls 'default' defined, using default '/etc/pki/CA/' May 22 22:32:45 wilson-VirtualBox /usr/local/opensips/sbin/opensips[7437]: NOTICE:tls_mgm:init_tls_dom: no crl for tls, using none May 22 22:32:45 wilson-VirtualBox /usr/local/opensips/sbin/opensips[7437]: ERROR:tls_mgm:tls_print_errstack: TLS errstack: error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak May 22 22:32:45 wilson-VirtualBox /usr/local/opensips/sbin/opensips[7437]: ERROR:tls_mgm:load_certificate: unable to load certificate file '/etc/opensips/tls/user/user-cert.pem' May 22 22:32:45 wilson-VirtualBox /usr/local/opensips/sbin/opensips[7437]: ERROR:tls_mgm:init_tls_domains: Failed to init TLS domain 'default' May 22 22:32:45 wilson-VirtualBox /usr/local/opensips/sbin/opensips[7437]: ERROR:core:init_mod: failed to initialize module tls_mgm May 22 22:32:45 wilson-VirtualBox /usr/local/opensips/sbin/opensips[7437]: ERROR:core:main: error while initializing modules May 22 22:32:45 wilson-VirtualBox /usr/local/opensips/sbin/opensips[7437]: INFO:core:cleanup: cleanup May 22 22:32:45 wilson-VirtualBox /usr/local/opensips/sbin/opensips[7437]: NOTICE:core:main: Exiting ___ Users mailing list Users@lists.opensips.org <mailto:Users@lists.opensips.org> http://lists.opensips.org/cgi-bin/mailman/listinfo/users <http://lists.opensips.org/cgi-bin/mailman/listinfo/users> ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Re: [OpenSIPS-Users] TLS Error
This is my folder user rights status, and I am running Opensips3.1 under root user privilege. root@wilson-VirtualBox:/etc/opensips/tls/user# ls -lrth /etc/opensips/tls/user total 20K -rw--- 1 root root 1.7K 5月 23 10:34 user-privkey.pem -rw-r--r-- 1 root root 1.1K 5月 23 10:34 user-cert_req.pem -rw-r--r-- 1 root root 4.2K 5月 23 10:34 user-cert.pem -rw-r--r-- 1 root root 1.3K 5月 23 10:34 user-calist.pem root@wilson-VirtualBox:/etc/opensips/tls/user# Can you tell if there is anything need to pay attention? Regards Wilson From: Users on behalf of ideanet help Sent: Monday, May 23, 2022 6:53:41 AM To: OpenSIPS users mailling list Subject: Re: [OpenSIPS-Users] TLS Error Hi Wang, Can you check the user rights of that directory? ls -lrth /etc/opensips/tls/user On Mon, May 23, 2022 at 3:10 AM Wang Wilson mailto:w...@hotmail.com>> wrote: Hello, I am sending this to follow the issue that was reported on Sep 17 13:13:06 EST 2020. My problem is that I get the same error message, but the path to /etc/opensips/tls/user/user-cert.pem is correct and it is not symlink file. I just start to explore the TLS method for us to support SIP service. What could be the reason for this? Thanks in advance. Regards Wilson -- INFO:core:mod_init: initializing TCP-plain protocol May 22 22:32:45 wilson-VirtualBox /usr/local/opensips/sbin/opensips[7437]: INFO:tls_mgm:mod_init: initializing TLS management May 22 22:32:45 wilson-VirtualBox /usr/local/opensips/sbin/opensips[7437]: INFO:tls_mgm:mod_init: disabling compression due ZLIB problems May 22 22:32:45 wilson-VirtualBox /usr/local/opensips/sbin/opensips[7437]: INFO:tls_mgm:init_tls_dom: Processing TLS domain 'default' May 22 22:32:45 wilson-VirtualBox /usr/local/opensips/sbin/opensips[7437]: NOTICE:tls_mgm:init_tls_dom: No EC curve defined May 22 22:32:45 wilson-VirtualBox /usr/local/opensips/sbin/opensips[7437]: INFO:tls_mgm:get_ssl_ctx_verify_mode: client verification activated. Client certificates are NOT mandatory. May 22 22:32:45 wilson-VirtualBox /usr/local/opensips/sbin/opensips[7437]: NOTICE:tls_mgm:init_tls_dom: no CA dir for tls 'default' defined, using default '/etc/pki/CA/' May 22 22:32:45 wilson-VirtualBox /usr/local/opensips/sbin/opensips[7437]: NOTICE:tls_mgm:init_tls_dom: no crl for tls, using none May 22 22:32:45 wilson-VirtualBox /usr/local/opensips/sbin/opensips[7437]: ERROR:tls_mgm:tls_print_errstack: TLS errstack: error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak May 22 22:32:45 wilson-VirtualBox /usr/local/opensips/sbin/opensips[7437]: ERROR:tls_mgm:load_certificate: unable to load certificate file '/etc/opensips/tls/user/user-cert.pem' May 22 22:32:45 wilson-VirtualBox /usr/local/opensips/sbin/opensips[7437]: ERROR:tls_mgm:init_tls_domains: Failed to init TLS domain 'default' May 22 22:32:45 wilson-VirtualBox /usr/local/opensips/sbin/opensips[7437]: ERROR:core:init_mod: failed to initialize module tls_mgm May 22 22:32:45 wilson-VirtualBox /usr/local/opensips/sbin/opensips[7437]: ERROR:core:main: error while initializing modules May 22 22:32:45 wilson-VirtualBox /usr/local/opensips/sbin/opensips[7437]: INFO:core:cleanup: cleanup May 22 22:32:45 wilson-VirtualBox /usr/local/opensips/sbin/opensips[7437]: NOTICE:core:main: Exiting ___ Users mailing list Users@lists.opensips.org<mailto:Users@lists.opensips.org> http://lists.opensips.org/cgi-bin/mailman/listinfo/users ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Re: [OpenSIPS-Users] TLS Error
Hi Wang, Can you check the user rights of that directory? ls -lrth /etc/opensips/tls/user On Mon, May 23, 2022 at 3:10 AM Wang Wilson wrote: > Hello, > > I am sending this to follow the issue that was reported on *Sep 17 > 13:13:06 EST 2020.* > > > > My problem is that I get the same error message, but the path to > /etc/opensips/tls/user/user-cert.pem is correct and it is not symlink file. > > > > I just start to explore the TLS method for us to support SIP service. What > could be the reason for this? > > > > Thanks in advance. > > > > Regards > > Wilson > > > -- > > INFO:core:mod_init: initializing TCP-plain protocol > > May 22 22:32:45 wilson-VirtualBox /usr/local/opensips/sbin/opensips[7437]: > INFO:tls_mgm:mod_init: initializing TLS management > > May 22 22:32:45 wilson-VirtualBox /usr/local/opensips/sbin/opensips[7437]: > INFO:tls_mgm:mod_init: disabling compression due ZLIB problems > > May 22 22:32:45 wilson-VirtualBox /usr/local/opensips/sbin/opensips[7437]: > INFO:tls_mgm:init_tls_dom: Processing TLS domain 'default' > > May 22 22:32:45 wilson-VirtualBox /usr/local/opensips/sbin/opensips[7437]: > NOTICE:tls_mgm:init_tls_dom: No EC curve defined > > May 22 22:32:45 wilson-VirtualBox /usr/local/opensips/sbin/opensips[7437]: > INFO:tls_mgm:get_ssl_ctx_verify_mode: client verification activated. Client > certificates are NOT mandatory. > > May 22 22:32:45 wilson-VirtualBox /usr/local/opensips/sbin/opensips[7437]: > NOTICE:tls_mgm:init_tls_dom: no CA dir for tls 'default' defined, using > default '/etc/pki/CA/' > > May 22 22:32:45 wilson-VirtualBox /usr/local/opensips/sbin/opensips[7437]: > NOTICE:tls_mgm:init_tls_dom: no crl for tls, using none > > May 22 22:32:45 wilson-VirtualBox /usr/local/opensips/sbin/opensips[7437]: > ERROR:tls_mgm:tls_print_errstack: TLS errstack: error:140AB18E:SSL > routines:SSL_CTX_use_certificate:ca md too weak > > May 22 22:32:45 wilson-VirtualBox /usr/local/opensips/sbin/opensips[7437]: > ERROR:tls_mgm:load_certificate: unable to load certificate file > '/etc/opensips/tls/user/user-cert.pem' > > May 22 22:32:45 wilson-VirtualBox /usr/local/opensips/sbin/opensips[7437]: > ERROR:tls_mgm:init_tls_domains: Failed to init TLS domain 'default' > > May 22 22:32:45 wilson-VirtualBox /usr/local/opensips/sbin/opensips[7437]: > ERROR:core:init_mod: failed to initialize module tls_mgm > > May 22 22:32:45 wilson-VirtualBox /usr/local/opensips/sbin/opensips[7437]: > ERROR:core:main: error while initializing modules > > May 22 22:32:45 wilson-VirtualBox /usr/local/opensips/sbin/opensips[7437]: > INFO:core:cleanup: cleanup > > May 22 22:32:45 wilson-VirtualBox /usr/local/opensips/sbin/opensips[7437]: > NOTICE:core:main: Exiting > > > > > ___ > Users mailing list > Users@lists.opensips.org > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Re: [OpenSIPS-Users] TLS Error
Hello, I am sending this to follow the issue that was reported on Sep 17 13:13:06 EST 2020. My problem is that I get the same error message, but the path to /etc/opensips/tls/user/user-cert.pem is correct and it is not symlink file. I just start to explore the TLS method for us to support SIP service. What could be the reason for this? Thanks in advance. Regards Wilson -- INFO:core:mod_init: initializing TCP-plain protocol May 22 22:32:45 wilson-VirtualBox /usr/local/opensips/sbin/opensips[7437]: INFO:tls_mgm:mod_init: initializing TLS management May 22 22:32:45 wilson-VirtualBox /usr/local/opensips/sbin/opensips[7437]: INFO:tls_mgm:mod_init: disabling compression due ZLIB problems May 22 22:32:45 wilson-VirtualBox /usr/local/opensips/sbin/opensips[7437]: INFO:tls_mgm:init_tls_dom: Processing TLS domain 'default' May 22 22:32:45 wilson-VirtualBox /usr/local/opensips/sbin/opensips[7437]: NOTICE:tls_mgm:init_tls_dom: No EC curve defined May 22 22:32:45 wilson-VirtualBox /usr/local/opensips/sbin/opensips[7437]: INFO:tls_mgm:get_ssl_ctx_verify_mode: client verification activated. Client certificates are NOT mandatory. May 22 22:32:45 wilson-VirtualBox /usr/local/opensips/sbin/opensips[7437]: NOTICE:tls_mgm:init_tls_dom: no CA dir for tls 'default' defined, using default '/etc/pki/CA/' May 22 22:32:45 wilson-VirtualBox /usr/local/opensips/sbin/opensips[7437]: NOTICE:tls_mgm:init_tls_dom: no crl for tls, using none May 22 22:32:45 wilson-VirtualBox /usr/local/opensips/sbin/opensips[7437]: ERROR:tls_mgm:tls_print_errstack: TLS errstack: error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak May 22 22:32:45 wilson-VirtualBox /usr/local/opensips/sbin/opensips[7437]: ERROR:tls_mgm:load_certificate: unable to load certificate file '/etc/opensips/tls/user/user-cert.pem' May 22 22:32:45 wilson-VirtualBox /usr/local/opensips/sbin/opensips[7437]: ERROR:tls_mgm:init_tls_domains: Failed to init TLS domain 'default' May 22 22:32:45 wilson-VirtualBox /usr/local/opensips/sbin/opensips[7437]: ERROR:core:init_mod: failed to initialize module tls_mgm May 22 22:32:45 wilson-VirtualBox /usr/local/opensips/sbin/opensips[7437]: ERROR:core:main: error while initializing modules May 22 22:32:45 wilson-VirtualBox /usr/local/opensips/sbin/opensips[7437]: INFO:core:cleanup: cleanup May 22 22:32:45 wilson-VirtualBox /usr/local/opensips/sbin/opensips[7437]: NOTICE:core:main: Exiting ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Re: [OpenSIPS-Users] TLS Error
Thanks, i fixed the issue by putting them in /etc/opensips/tls On Thu, Sep 17, 2020 at 4:24 PM Tomi Hakkarainen wrote: > Hi, > I have had the same. > look at the directory/ file rights on the lets encrypt path. The user > trying to access cannot access the file because there is something missing > on the path... > > I cant remenber which it was... > If you are using certbot or similar to create those automatic should be > resolved or should make some post operation after cert generation to copy > those to opensips folder... > > Tomi > > On 17. Sep 2020, at 16.51, John Matich wrote: > > > Copy the certs into /etc/opensips/tls/ it doesn't seem to like the > symlinked certs of letsencrypt > > That fixed it for me when I had the same issue. > > On Thu, 2020-09-17 at 14:32 +0100, Andrew Colin wrote: > > yes but why as that path is correct > and permissions etc are all fine > > On Thu, Sep 17, 2020 at 2:31 PM Johan De Clercq wrote: > > it seems to me that it can't load your certificate. > > Op do 17 sep. 2020 om 15:16 schreef Andrew Colin >: > > Hi Guys > > I am trying to get tls to work but getting some errors. > i am using letsencrypt and opensips 3.1 > > my config is > > loadmodule "proto_tls.so" > > > loadmodule "tls_mgm.so" > > > modparam("tls_mgm", "client_sip_domain_avp", "tls_sip_dom") > > > modparam("tls_mgm", "server_domain", "dom1") > > modparam("tls_mgm", "match_ip_address", "[dom1]myip:5061") > > modparam("tls_mgm", "match_sip_domain", "[dom1]mydomain.co.uk") > > > > modparam("tls_mgm", "tls_method", "[dom1]TLSv1_2") > > modparam("tls_mgm", "verify_cert", "[dom1]1") > > modparam("tls_mgm", "require_cert", "[dom1]1") > > modparam("tls_mgm", "certificate", "[dom1]/etc/letsencrypt/live/ > mydomain.co.uk/cert.pem") > > modparam("tls_mgm", "private_key", "[dom1]/etc/letsencrypt/live/ > mydomain.co.uk/privkey.pem") > > modparam("tls_mgm", "ca_list", "[dom1]/etc/letsencrypt/live/ > mydomain.co.uk/cert.pem") > > modparam("tls_mgm", "ca_dir", "[dom1]/etc/letsencrypt/live/bmydomain.co.uk > ") > > > > but i get this error > > > > INFO:tls_mgm:mod_init: disabling compression due ZLIB problems > > Sep 17 12:59:41 proxy /usr/sbin/opensips[8155]: INFO:tls_mgm:init_tls_dom: > Processing TLS domain 'dom1' > > Sep 17 12:59:41 proxy /usr/sbin/opensips[8155]: > NOTICE:tls_mgm:init_tls_dom: No EC curve defined > > Sep 17 12:59:41 proxy /usr/sbin/opensips[8155]: > INFO:tls_mgm:get_ssl_ctx_verify_mode: client verification activated. Client > certificates are mandatory. > > Sep 17 12:59:41 proxy /usr/sbin/opensips[8155]: > NOTICE:tls_mgm:init_tls_dom: no crl for tls, using none > > Sep 17 12:59:41 proxy /usr/sbin/opensips[8155]: > ERROR:tls_mgm:load_certificate: unable to load certificate file > '/etc/letsencrypt/live/mydomain.co.uk/cert.pem' > > Sep 17 12:59:41 proxy /usr/sbin/opensips[8155]: > ERROR:tls_mgm:init_tls_domains: Failed to init TLS domain 'dom1' > > Sep 17 12:59:41 proxy /usr/sbin/opensips[8155]: ERROR:core:init_mod: > failed to initialize module tls_mgm > > Sep 17 12:59:41 proxy /usr/sbin/opensips[8155]: ERROR:core:main: error > while initializing modules > > Sep 17 12:59:41 proxy /usr/sbin/opensips[8155]: INFO:core:cleanup: cleanup > > Sep 17 12:59:41 proxy /usr/sbin/opensips[8155]: NOTICE:core:main: > Exiting > ___ > Users mailing list > Users@lists.opensips.org > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > > ___ > Users mailing list > Users@lists.opensips.org > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > > ___ > > Users mailing list > > Users@lists.opensips.org > > > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > > > ___ > Users mailing list > Users@lists.opensips.org > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > ___ > Users mailing list > Users@lists.opensips.org > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Re: [OpenSIPS-Users] TLS Error
Hi, I have had the same. look at the directory/ file rights on the lets encrypt path. The user trying to access cannot access the file because there is something missing on the path... I cant remenber which it was... If you are using certbot or similar to create those automatic should be resolved or should make some post operation after cert generation to copy those to opensips folder... Tomi On 17. Sep 2020, at 16.51, John Matich wrote: Copy the certs into /etc/opensips/tls/ it doesn't seem to like the symlinked certs of letsencrypt That fixed it for me when I had the same issue. > On Thu, 2020-09-17 at 14:32 +0100, Andrew Colin wrote: > yes but why as that path is correct > and permissions etc are all fine > >> On Thu, Sep 17, 2020 at 2:31 PM Johan De Clercq wrote: >> it seems to me that it can't load your certificate. >> >> Op do 17 sep. 2020 om 15:16 schreef Andrew Colin : >>> Hi Guys >>> >>> I am trying to get tls to work but getting some errors. >>> i am using letsencrypt and opensips 3.1 >>> >>> my config is >>> >>> loadmodule "proto_tls.so" >>> >>> loadmodule "tls_mgm.so" >>> >>> modparam("tls_mgm", "client_sip_domain_avp", "tls_sip_dom") >>> >>> modparam("tls_mgm", "server_domain", "dom1") >>> modparam("tls_mgm", "match_ip_address", "[dom1]myip:5061") >>> modparam("tls_mgm", "match_sip_domain", "[dom1]mydomain.co.uk") >>> >>> >>> modparam("tls_mgm", "tls_method", "[dom1]TLSv1_2") >>> modparam("tls_mgm", "verify_cert", "[dom1]1") >>> modparam("tls_mgm", "require_cert", "[dom1]1") >>> modparam("tls_mgm", "certificate", >>> "[dom1]/etc/letsencrypt/live/mydomain.co.uk/cert.pem") >>> modparam("tls_mgm", "private_key", >>> "[dom1]/etc/letsencrypt/live/mydomain.co.uk/privkey.pem") >>> modparam("tls_mgm", "ca_list", >>> "[dom1]/etc/letsencrypt/live/mydomain.co.uk/cert.pem") >>> modparam("tls_mgm", "ca_dir", "[dom1]/etc/letsencrypt/live/bmydomain.co.uk") >>> >>> >>> but i get this error >>> >>> >>> INFO:tls_mgm:mod_init: disabling compression due ZLIB problems >>> Sep 17 12:59:41 proxy /usr/sbin/opensips[8155]: INFO:tls_mgm:init_tls_dom: >>> Processing TLS domain 'dom1' >>> Sep 17 12:59:41 proxy /usr/sbin/opensips[8155]: >>> NOTICE:tls_mgm:init_tls_dom: No EC curve defined >>> Sep 17 12:59:41 proxy /usr/sbin/opensips[8155]: >>> INFO:tls_mgm:get_ssl_ctx_verify_mode: client verification activated. Client >>> certificates are mandatory. >>> Sep 17 12:59:41 proxy /usr/sbin/opensips[8155]: >>> NOTICE:tls_mgm:init_tls_dom: no crl for tls, using none >>> Sep 17 12:59:41 proxy /usr/sbin/opensips[8155]: >>> ERROR:tls_mgm:load_certificate: unable to load certificate file >>> '/etc/letsencrypt/live/mydomain.co.uk/cert.pem' >>> Sep 17 12:59:41 proxy /usr/sbin/opensips[8155]: >>> ERROR:tls_mgm:init_tls_domains: Failed to init TLS domain 'dom1' >>> Sep 17 12:59:41 proxy /usr/sbin/opensips[8155]: ERROR:core:init_mod: failed >>> to initialize module tls_mgm >>> Sep 17 12:59:41 proxy /usr/sbin/opensips[8155]: ERROR:core:main: error >>> while initializing modules >>> Sep 17 12:59:41 proxy /usr/sbin/opensips[8155]: INFO:core:cleanup: cleanup >>> Sep 17 12:59:41 proxy /usr/sbin/opensips[8155]: NOTICE:core:main: >>> Exiting >>> ___ >>> Users mailing list >>> Users@lists.opensips.org >>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users >> ___ >> Users mailing list >> Users@lists.opensips.org >> http://lists.opensips.org/cgi-bin/mailman/listinfo/users > > ___ > Users mailing list > Users@lists.opensips.org > > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Re: [OpenSIPS-Users] TLS Error
Thanks Do i just create a folder tls in /etc/opensips and copy them in? Also what did you use for ca_list? On Thursday, September 17, 2020, John Matich wrote: > Copy the certs into /etc/opensips/tls/ it doesn't seem to like the > symlinked certs of letsencrypt > > That fixed it for me when I had the same issue. > > On Thu, 2020-09-17 at 14:32 +0100, Andrew Colin wrote: > > yes but why as that path is correct > and permissions etc are all fine > > On Thu, Sep 17, 2020 at 2:31 PM Johan De Clercq wrote: > > it seems to me that it can't load your certificate. > > Op do 17 sep. 2020 om 15:16 schreef Andrew Colin >: > > Hi Guys > > I am trying to get tls to work but getting some errors. > i am using letsencrypt and opensips 3.1 > > my config is > > loadmodule "proto_tls.so" > > > loadmodule "tls_mgm.so" > > > modparam("tls_mgm", "client_sip_domain_avp", "tls_sip_dom") > > > modparam("tls_mgm", "server_domain", "dom1") > > modparam("tls_mgm", "match_ip_address", "[dom1]myip:5061") > > modparam("tls_mgm", "match_sip_domain", "[dom1]mydomain.co.uk") > > > > modparam("tls_mgm", "tls_method", "[dom1]TLSv1_2") > > modparam("tls_mgm", "verify_cert", "[dom1]1") > > modparam("tls_mgm", "require_cert", "[dom1]1") > > modparam("tls_mgm", "certificate", "[dom1]/etc/letsencrypt/live/m > ydomain.co.uk/cert.pem") > > modparam("tls_mgm", "private_key", "[dom1]/etc/letsencrypt/live/m > ydomain.co.uk/privkey.pem") > > modparam("tls_mgm", "ca_list", "[dom1]/etc/letsencrypt/live/m > ydomain.co.uk/cert.pem") > > modparam("tls_mgm", "ca_dir", "[dom1]/etc/letsencrypt/live/bmydomain.co.uk > ") > > > > but i get this error > > > > INFO:tls_mgm:mod_init: disabling compression due ZLIB problems > > Sep 17 12:59:41 proxy /usr/sbin/opensips[8155]: INFO:tls_mgm:init_tls_dom: > Processing TLS domain 'dom1' > > Sep 17 12:59:41 proxy /usr/sbin/opensips[8155]: > NOTICE:tls_mgm:init_tls_dom: No EC curve defined > > Sep 17 12:59:41 proxy /usr/sbin/opensips[8155]: > INFO:tls_mgm:get_ssl_ctx_verify_mode: > client verification activated. Client certificates are mandatory. > > Sep 17 12:59:41 proxy /usr/sbin/opensips[8155]: > NOTICE:tls_mgm:init_tls_dom: no crl for tls, using none > > Sep 17 12:59:41 proxy /usr/sbin/opensips[8155]: > ERROR:tls_mgm:load_certificate: > unable to load certificate file '/etc/letsencrypt/live/mydomai > n.co.uk/cert.pem' > > Sep 17 12:59:41 proxy /usr/sbin/opensips[8155]: > ERROR:tls_mgm:init_tls_domains: > Failed to init TLS domain 'dom1' > > Sep 17 12:59:41 proxy /usr/sbin/opensips[8155]: ERROR:core:init_mod: > failed to initialize module tls_mgm > > Sep 17 12:59:41 proxy /usr/sbin/opensips[8155]: ERROR:core:main: error > while initializing modules > > Sep 17 12:59:41 proxy /usr/sbin/opensips[8155]: INFO:core:cleanup: cleanup > > Sep 17 12:59:41 proxy /usr/sbin/opensips[8155]: NOTICE:core:main: > Exiting > ___ > Users mailing list > Users@lists.opensips.org > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > > ___ > Users mailing list > Users@lists.opensips.org > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > > ___ > > Users mailing list > > Users@lists.opensips.org > > > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > > > ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Re: [OpenSIPS-Users] TLS Error
Copy the certs into /etc/opensips/tls/ it doesn't seem to like the symlinked certs of letsencrypt That fixed it for me when I had the same issue. On Thu, 2020-09-17 at 14:32 +0100, Andrew Colin wrote: > yes but why as that path is correctand permissions etc are all fine > > On Thu, Sep 17, 2020 at 2:31 PM Johan De Clercq > wrote: > > it seems to me that it can't load your certificate. > > > > Op do 17 sep. 2020 om 15:16 schreef Andrew Colin < > > andrewd.co...@gmail.com>: > > > Hi Guys > > > I am trying to get tls to work but getting some errors. > > > i am using letsencrypt and opensips 3.1 > > > > > > my config is > > > > > > loadmodule "proto_tls.so" > > > > > > loadmodule "tls_mgm.so" > > > > > > modparam("tls_mgm", "client_sip_domain_avp", "tls_sip_dom") > > > > > > modparam("tls_mgm", "server_domain", "dom1") > > > modparam("tls_mgm", "match_ip_address", "[dom1]myip:5061") > > > modparam("tls_mgm", "match_sip_domain", "[dom1]mydomain.co.uk") > > > > > > > > > modparam("tls_mgm", "tls_method", "[dom1]TLSv1_2") > > > modparam("tls_mgm", "verify_cert", "[dom1]1") > > > modparam("tls_mgm", "require_cert", "[dom1]1") > > > modparam("tls_mgm", "certificate", > > > "[dom1]/etc/letsencrypt/live/mydomain.co.uk/cert.pem") > > > modparam("tls_mgm", "private_key", > > > "[dom1]/etc/letsencrypt/live/mydomain.co.uk/privkey.pem") > > > modparam("tls_mgm", "ca_list", > > > "[dom1]/etc/letsencrypt/live/mydomain.co.uk/cert.pem") > > > modparam("tls_mgm", "ca_dir", > > > "[dom1]/etc/letsencrypt/live/bmydomain.co.uk") > > > > > > > > > > > > > > > but i get this error > > > > > > > > > > > > > > > INFO:tls_mgm:mod_init: disabling compression due ZLIB problems > > > Sep 17 12:59:41 proxy /usr/sbin/opensips[8155]: > > > INFO:tls_mgm:init_tls_dom: Processing TLS domain 'dom1' > > > Sep 17 12:59:41 proxy /usr/sbin/opensips[8155]: > > > NOTICE:tls_mgm:init_tls_dom: No EC curve defined > > > Sep 17 12:59:41 proxy /usr/sbin/opensips[8155]: > > > INFO:tls_mgm:get_ssl_ctx_verify_mode: client verification > > > activated. Client certificates are mandatory. > > > Sep 17 12:59:41 proxy /usr/sbin/opensips[8155]: > > > NOTICE:tls_mgm:init_tls_dom: no crl for tls, using none > > > Sep 17 12:59:41 proxy /usr/sbin/opensips[8155]: > > > ERROR:tls_mgm:load_certificate: unable to load certificate file > > > '/etc/letsencrypt/live/mydomain.co.uk/cert.pem' > > > Sep 17 12:59:41 proxy /usr/sbin/opensips[8155]: > > > ERROR:tls_mgm:init_tls_domains: Failed to init TLS domain 'dom1' > > > Sep 17 12:59:41 proxy /usr/sbin/opensips[8155]: > > > ERROR:core:init_mod: failed to initialize module tls_mgm > > > Sep 17 12:59:41 proxy /usr/sbin/opensips[8155]: ERROR:core:main: > > > error while initializing modules > > > Sep 17 12:59:41 proxy /usr/sbin/opensips[8155]: > > > INFO:core:cleanup: cleanup > > > > > > Sep 17 12:59:41 proxy /usr/sbin/opensips[8155]: NOTICE:core:main: > > > Exiting > > > ___ > > > > > > Users mailing list > > > > > > Users@lists.opensips.org > > > > > > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > > > > > > > ___ > > > > Users mailing list > > > > Users@lists.opensips.org > > > > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > > > > ___Users mailing > listus...@lists.opensips.org > http://lists.opensips.org/cgi-bin/mailman/listinfo/users ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Re: [OpenSIPS-Users] TLS Error
yes but why as that path is correct and permissions etc are all fine On Thu, Sep 17, 2020 at 2:31 PM Johan De Clercq wrote: > it seems to me that it can't load your certificate. > > Op do 17 sep. 2020 om 15:16 schreef Andrew Colin >: > >> Hi Guys >> >> I am trying to get tls to work but getting some errors. >> i am using letsencrypt and opensips 3.1 >> >> my config is >> >> loadmodule "proto_tls.so" >> >> >> loadmodule "tls_mgm.so" >> >> >> modparam("tls_mgm", "client_sip_domain_avp", "tls_sip_dom") >> >> >> modparam("tls_mgm", "server_domain", "dom1") >> >> modparam("tls_mgm", "match_ip_address", "[dom1]myip:5061") >> >> modparam("tls_mgm", "match_sip_domain", "[dom1]mydomain.co.uk") >> >> >> >> modparam("tls_mgm", "tls_method", "[dom1]TLSv1_2") >> >> modparam("tls_mgm", "verify_cert", "[dom1]1") >> >> modparam("tls_mgm", "require_cert", "[dom1]1") >> >> modparam("tls_mgm", "certificate", "[dom1]/etc/letsencrypt/live/ >> mydomain.co.uk/cert.pem") >> >> modparam("tls_mgm", "private_key", "[dom1]/etc/letsencrypt/live/ >> mydomain.co.uk/privkey.pem") >> >> modparam("tls_mgm", "ca_list", "[dom1]/etc/letsencrypt/live/ >> mydomain.co.uk/cert.pem") >> >> modparam("tls_mgm", "ca_dir", "[dom1]/etc/letsencrypt/live/ >> bmydomain.co.uk") >> >> >> >> but i get this error >> >> >> >> INFO:tls_mgm:mod_init: disabling compression due ZLIB problems >> >> Sep 17 12:59:41 proxy /usr/sbin/opensips[8155]: >> INFO:tls_mgm:init_tls_dom: Processing TLS domain 'dom1' >> >> Sep 17 12:59:41 proxy /usr/sbin/opensips[8155]: >> NOTICE:tls_mgm:init_tls_dom: No EC curve defined >> >> Sep 17 12:59:41 proxy /usr/sbin/opensips[8155]: >> INFO:tls_mgm:get_ssl_ctx_verify_mode: client verification activated. Client >> certificates are mandatory. >> >> Sep 17 12:59:41 proxy /usr/sbin/opensips[8155]: >> NOTICE:tls_mgm:init_tls_dom: no crl for tls, using none >> >> Sep 17 12:59:41 proxy /usr/sbin/opensips[8155]: >> ERROR:tls_mgm:load_certificate: unable to load certificate file >> '/etc/letsencrypt/live/mydomain.co.uk/cert.pem' >> >> Sep 17 12:59:41 proxy /usr/sbin/opensips[8155]: >> ERROR:tls_mgm:init_tls_domains: Failed to init TLS domain 'dom1' >> >> Sep 17 12:59:41 proxy /usr/sbin/opensips[8155]: ERROR:core:init_mod: >> failed to initialize module tls_mgm >> >> Sep 17 12:59:41 proxy /usr/sbin/opensips[8155]: ERROR:core:main: error >> while initializing modules >> >> Sep 17 12:59:41 proxy /usr/sbin/opensips[8155]: INFO:core:cleanup: cleanup >> >> Sep 17 12:59:41 proxy /usr/sbin/opensips[8155]: NOTICE:core:main: >> Exiting >> ___ >> Users mailing list >> Users@lists.opensips.org >> http://lists.opensips.org/cgi-bin/mailman/listinfo/users >> > ___ > Users mailing list > Users@lists.opensips.org > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Re: [OpenSIPS-Users] TLS Error
it seems to me that it can't load your certificate. Op do 17 sep. 2020 om 15:16 schreef Andrew Colin : > Hi Guys > > I am trying to get tls to work but getting some errors. > i am using letsencrypt and opensips 3.1 > > my config is > > loadmodule "proto_tls.so" > > > loadmodule "tls_mgm.so" > > > modparam("tls_mgm", "client_sip_domain_avp", "tls_sip_dom") > > > modparam("tls_mgm", "server_domain", "dom1") > > modparam("tls_mgm", "match_ip_address", "[dom1]myip:5061") > > modparam("tls_mgm", "match_sip_domain", "[dom1]mydomain.co.uk") > > > > modparam("tls_mgm", "tls_method", "[dom1]TLSv1_2") > > modparam("tls_mgm", "verify_cert", "[dom1]1") > > modparam("tls_mgm", "require_cert", "[dom1]1") > > modparam("tls_mgm", "certificate", "[dom1]/etc/letsencrypt/live/ > mydomain.co.uk/cert.pem") > > modparam("tls_mgm", "private_key", "[dom1]/etc/letsencrypt/live/ > mydomain.co.uk/privkey.pem") > > modparam("tls_mgm", "ca_list", "[dom1]/etc/letsencrypt/live/ > mydomain.co.uk/cert.pem") > > modparam("tls_mgm", "ca_dir", "[dom1]/etc/letsencrypt/live/bmydomain.co.uk > ") > > > > but i get this error > > > > INFO:tls_mgm:mod_init: disabling compression due ZLIB problems > > Sep 17 12:59:41 proxy /usr/sbin/opensips[8155]: INFO:tls_mgm:init_tls_dom: > Processing TLS domain 'dom1' > > Sep 17 12:59:41 proxy /usr/sbin/opensips[8155]: > NOTICE:tls_mgm:init_tls_dom: No EC curve defined > > Sep 17 12:59:41 proxy /usr/sbin/opensips[8155]: > INFO:tls_mgm:get_ssl_ctx_verify_mode: client verification activated. Client > certificates are mandatory. > > Sep 17 12:59:41 proxy /usr/sbin/opensips[8155]: > NOTICE:tls_mgm:init_tls_dom: no crl for tls, using none > > Sep 17 12:59:41 proxy /usr/sbin/opensips[8155]: > ERROR:tls_mgm:load_certificate: unable to load certificate file > '/etc/letsencrypt/live/mydomain.co.uk/cert.pem' > > Sep 17 12:59:41 proxy /usr/sbin/opensips[8155]: > ERROR:tls_mgm:init_tls_domains: Failed to init TLS domain 'dom1' > > Sep 17 12:59:41 proxy /usr/sbin/opensips[8155]: ERROR:core:init_mod: > failed to initialize module tls_mgm > > Sep 17 12:59:41 proxy /usr/sbin/opensips[8155]: ERROR:core:main: error > while initializing modules > > Sep 17 12:59:41 proxy /usr/sbin/opensips[8155]: INFO:core:cleanup: cleanup > > Sep 17 12:59:41 proxy /usr/sbin/opensips[8155]: NOTICE:core:main: > Exiting > ___ > Users mailing list > Users@lists.opensips.org > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Re: [OpenSIPS-Users] tls error what does this mean
Hi, Alex! Did you specify a certificate in your opensips configuration? Can you connect to OpenSIPS with openssl[1]? [1] https://www.opensips.org/Documentation/Tutorials-TLS-2-1#toc13 Best regards, Răzvan Crainea OpenSIPS Solutions www.opensips-solutions.com On 05/12/2017 12:45 PM, Alexander Jankowsky wrote: Hello, I am trying to register a phone through tls into opensips 2.3 stable. I am stuck here... This from the remote phone which has no certificate or key loaded at present. ERROR:proto_tls:tls_accept: New TLS connection from 111.111.111.111:1 failed to accept ERROR:proto_tls:tls_print_errstack: TLS errstack: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned ERROR:proto_tls:tls_read_req: failed to do pre-tls reading INFO:core:probe_max_sock_buff: using snd buffer of 416 kb This is from the local phone which does have a certificate and its private key loaded. INFO:core:init_sock_keepalive: TCP keepalive enabled on socket 63 ERROR:proto_tls:tls_accept: New TLS connection from 222.222.222.222:2 failed to accept ERROR:proto_tls:tls_print_errstack: TLS errstack: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate ERROR:proto_tls:tls_read_req: failed to do pre-tls reading INFO:core:probe_max_sock_buff: using snd buffer of 416 kb Is it obvious what I should be doing here or what I should try next? Alex ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Re: [OpenSIPS-Users] TLS error opensips 2.3 on Debian 8
I moved tls_mgm module load to the beginning of the script, but the errors still happened... -- View this message in context: http://opensips-open-sip-server.1449251.n2.nabble.com/TLS-error-opensips-2-3-on-Debian-8-tp7607394p7607397.html Sent from the OpenSIPS - Users mailing list archive at Nabble.com. ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Re: [OpenSIPS-Users] TLS error opensips 2.3 on Debian 8
Hello! Can you try to load the tls_mgm module at the begining of your script, before tne db_postgres and siptrace modules? PS: please subscribe to the opensips mailing lists, otherwise we might miss your sequential messages. Best regards, Răzvan Crainea OpenSIPS Solutions www.opensips-solutions.com On 05/12/2017 11:18 AM, silent_dog wrote: Is there anybody has idea on this issue? At the beginning, it works well. However, after I added a trace module, following errors happened. modparam("siptrace", "trace_id", "[db_tid]uri=postgres://opensips:opensips@172.22.253.42/opensips;table=sip_trace") ERROR:tls_mgm:mod_init: unable to set the memory allocation functions ERROR:tls_mgm:mod_init: NOTE: check if you are using openssl 1.0.1e-fips, (or other FIPS version of openssl, as this is known to be broken; if so, you need to upgrade or downgrade to a different openssl version! ERROR:tls_mgm:mod_init: current version: OpenSSL 1.0.1t 3 May 2016 ERROR:core:init_mod: failed to initialize module tls_mgm ERROR:core:main: error while initializing modules -- View this message in context: http://opensips-open-sip-server.1449251.n2.nabble.com/TLS-error-opensips-2-3-on-Debian-8-tp7607394.html Sent from the OpenSIPS - Users mailing list archive at Nabble.com. ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Re: [OpenSIPS-Users] TLS error opensips 2.3 on Debian 8
it looks conflict with this line: modparam("siptrace", "trace_id", "[db_tid]uri=postgres://opensips:opensips@172.22.253.42/opensips;table=sip_trace") After I commented this line, it works again. -- View this message in context: http://opensips-open-sip-server.1449251.n2.nabble.com/TLS-error-opensips-2-3-on-Debian-8-tp7607394p7607395.html Sent from the OpenSIPS - Users mailing list archive at Nabble.com. ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Re: [OpenSIPS-Users] TLS Error
Hi Gary The "TLS connection to 107.199.61.85:56437 read failed" error occurs when the device (Android & iOS) kills the application. -- NguyenVD ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Re: [OpenSIPS-Users] TLS Error
Gary, Have you been able to take a look at the traffic to see what it is? I'm going to guess non-TLS OPTIONS pings. Try: tcpdump -nlvs0 -i eth0 host 66.81.1.2 and port 7604 Substitute the correct interface for eth0 isn't valid for your case. - Jeff On Wed, Nov 12, 2014 at 3:48 PM, Gary Nyquist wrote: > Hi, > > I am using "opensips 1.11.3-tls (x86_64/linux)" git revision: 7e5bbcf > My log file is getting flooded with following errors. > > ERROR:core:_tls_read: SYSCALL error -> (0) > ERROR:core:_tls_read: TLS connection to 66.81.1.2:7604 read failed > ERROR:core:_tls_read: TLS read error: 5 > ERROR:core:tcp_read_req: failed to read > > Any clues? > > Best Regards, > - Gary > > ___ > Users mailing list > Users@lists.opensips.org > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users