That certificate should already be present under the OS's trusted certificates directory (debian and ubuntu certs are stored under /etc/ssl/certs), maybe under a different name, and is required for remote endpoint's certificate validation. One can load a particular certificate or a list of certificates. Multiple certificates can be concatenated into one single file as stated in the documentation: https://kamailio.org/docs/modules/devel/modules/tls.html#tls.p.ca_list Hope this helps a little bit in understanding of the ca_list param.
Regards, Ovidiu Sas On Thu, Jan 7, 2021 at 8:10 AM <rob.van.den.b...@gmail.com> wrote: > > I Used this tls.cfg > > > > Use bc2025.pem as extra, Microsoft needs this… > > > > And works fine on different Kamailio-msteams sbcs > > > > > > [server:default] > > method = TLSv1.2+ > > verify_certificate = yes > > require_certificate = yes > > private_key = /etc/letsencrypt/live/sbc.combivoipdom.nl-0001/privkey.pem > > certificate = /etc/letsencrypt/live/sbc.combivoipdom.nl-0001/fullchain.pem > > ca_list = /etc/letsencrypt/live/sbc.combivoipdom.nl-0001/bc2025.pem > > server_name = sbc.combivoipdom.nl > > > > [client:default] > > method = TLSv1.2+ > > verify_certificate = yes > > require_certificate = yes > > private_key = /etc/letsencrypt/live/sbc.combivoipdom.nl-0001/privkey.pem > > certificate = /etc/letsencrypt/live/sbc.combivoipdom.nl-0001/fullchain.pem > > ca_list = /etc/letsencrypt/live/sbc.combivoipdom.nl-0001/bc2025.pem > > > > > > > > Cheers Rob > > > > Van: sr-users <sr-users-boun...@lists.kamailio.org> Namens Daniel-Constantin > Mierla > Verzonden: donderdag 7 januari 2021 08:53 > Aan: Kamailio (SER) - Users Mailing List <sr-users@lists.kamailio.org>; Willy > Valles Rios <willyvalle...@gmail.com> > CC: Carlos Mestanza T. <mestac...@gmail.com> > Onderwerp: Re: [SR-Users] Problems establishing SIP signaling between MsTeams > and Kamailio > > > > Does this happen when Kamailio connects to MS Teams? The logs indicate the > received TLS certificate is not trusted: > > Jan 6 15:13:55 Kamailio-Server /usr/sbin/kamailio[32425]: ERROR: tls > [tls_util.h:42]: tls_err_ret(): TLS write:error:14090086:SSL > routines:ssl3_get_server_certificate:certificate verify failed > > > > You can set debug=3 in kamailio.cfg and see if the DEBUG messages provide > more hints. For me it worked fine with Letsencrypt certs in Kamailio and > accepting what ever MS sent back. I used Debian 10 and libssl 1.1. > > > > Cheers, > Daniel > > > > On 06.01.21 21:47, Willy Valles Rios wrote: > > Hello community, > > > > I am having trouble establishing SIP signaling between MsTeams and Kamailio. > I currently have this configuration in my tls.cfg file > > > > [server: default] > > method = TLSv1.2 + > > verify_certificate = yes > > require_certificate = yes > > private_key = /etc/kamailio/certificates/private-key.pem > > certificate = /etc/kamailio/certificates/certificate.pem > > > > [client: default] > > method = TLSv1.2 + > > verify_certificate = yes > > require_certificate = yes > > private_key = /etc/kamailio/certificates/private-key.pem > > certificate = /etc/kamailio/certificates/certificate.pem > > > > My domain was certified with ssl through an authoritative certifier > (GoDaddy), however I see these errors in the / var / log / messages of the > Kamailio server. > > > > Jan 6 15:13:45 Kamailio-Server /usr/sbin/kamailio[32409]: INFO: tls > [tls_mod.c:389]: mod_init(): With ECDH-Support! > > Jan 6 15:13:45 Kamailio-Server /usr/sbin/kamailio[32409]: INFO: tls > [tls_mod.c:392]: mod_init(): With Diffie Hellman > > Jan 6 15:13:45 Kamailio-Server /usr/sbin/kamailio[32409]: INFO: tls > [tls_init.c:722]: tls_h_mod_init_f(): compiled with openssl version "OpenSSL > 1.0.2k-fips 26 Jan 2017" (0x100020bf), kerberos support: on, compression: on > > Jan 6 15:13:45 Kamailio-Server /usr/sbin/kamailio[32409]: INFO: tls > [tls_init.c:730]: tls_h_mod_init_f(): installed openssl library version > "OpenSSL 1.0.2k-fips 26 Jan 2017" (0x100020bf), kerberos support: on, zlib > compression: on#012 compiler: gcc -I. -I.. -I../include -fPIC -DOPENSSL_PIC > -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT > -m64 -DL_ENDIAN -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions > -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 > -mtune=generic -Wa,--noexecstack -DPURIFY -DOPENSSL_IA32_SSE2 > -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DRC4_ASM > -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM > -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM > > Jan 6 15:13:45 Kamailio-Server /usr/sbin/kamailio[32409]: WARNING: tls > [tls_init.c:787]: tls_h_mod_init_f(): openssl bug #1491 (crash/mem leaks on > low memory) workaround enabled (on low memory tls operations will fail > preemptively) with free memory thresholds 13107200 and 6553600 bytes > > Jan 6 15:13:45 Kamailio-Server /usr/sbin/kamailio[32409]: INFO: > [core/cfg/cfg_ctx.c:598]: cfg_set_now(): tls.low_mem_threshold1 has been > changed to 13107200 > > Jan 6 15:13:45 Kamailio-Server /usr/sbin/kamailio[32409]: INFO: > [core/cfg/cfg_ctx.c:598]: cfg_set_now(): tls.low_mem_threshold2 has been > changed to 6553600 > > Jan 6 15:13:45 Kamailio-Server /usr/sbin/kamailio[32409]: INFO: > [main.c:2834]: main(): processes (at least): 25 - shm size: 67108864 - pkg > size: 4194304 > > Jan 6 15:13:45 Kamailio-Server /usr/sbin/kamailio[32409]: INFO: > [core/udp_server.c:154]: probe_max_receive_buffer(): SO_RCVBUF is initially > 212992 > > Jan 6 15:13:45 Kamailio-Server /usr/sbin/kamailio[32409]: INFO: > [core/udp_server.c:206]: probe_max_receive_buffer(): SO_RCVBUF is finally > 425984 > > Jan 6 15:13:45 Kamailio-Server /usr/sbin/kamailio[32409]: INFO: tls > [tls_domain.c:305]: ksr_tls_fill_missing(): TLSs: tls_method=22 > > Jan 6 15:13:45 Kamailio-Server /usr/sbin/kamailio[32409]: INFO: tls > [tls_domain.c:317]: ksr_tls_fill_missing(): TLSs: > certificate='/etc/kamailio/certificados/certificate.pem' > > Jan 6 15:13:45 Kamailio-Server /usr/sbin/kamailio[32409]: INFO: tls > [tls_domain.c:324]: ksr_tls_fill_missing(): TLSs: ca_list='(null)' > > Jan 6 15:13:45 Kamailio-Server /usr/sbin/kamailio[32409]: INFO: tls > [tls_domain.c:331]: ksr_tls_fill_missing(): TLSs: crl='(null)' > > Jan 6 15:13:45 Kamailio-Server /usr/sbin/kamailio[32409]: INFO: tls > [tls_domain.c:335]: ksr_tls_fill_missing(): TLSs: require_certificate=1 > > Jan 6 15:13:45 Kamailio-Server /usr/sbin/kamailio[32409]: INFO: tls > [tls_domain.c:342]: ksr_tls_fill_missing(): TLSs: cipher_list='(null)' > > Jan 6 15:13:45 Kamailio-Server /usr/sbin/kamailio[32409]: INFO: tls > [tls_domain.c:349]: ksr_tls_fill_missing(): TLSs: > private_key='/etc/kamailio/certificados/private-key.pem' > > Jan 6 15:13:45 Kamailio-Server /usr/sbin/kamailio[32409]: INFO: tls > [tls_domain.c:353]: ksr_tls_fill_missing(): TLSs: verify_certificate=1 > > Jan 6 15:13:45 Kamailio-Server /usr/sbin/kamailio[32409]: INFO: tls > [tls_domain.c:356]: ksr_tls_fill_missing(): TLSs: verify_depth=9 > > Jan 6 15:13:45 Kamailio-Server /usr/sbin/kamailio[32409]: INFO: tls > [tls_domain.c:359]: ksr_tls_fill_missing(): TLSs: verify_client=0 > > Jan 6 15:13:45 Kamailio-Server /usr/sbin/kamailio[32409]: NOTICE: tls > [tls_domain.c:1107]: ksr_tls_fix_domain(): registered server_name callback > handler for socket [:0], server_name='' ... > > Jan 6 15:13:45 Kamailio-Server /usr/sbin/kamailio[32409]: INFO: tls > [tls_domain.c:697]: set_verification(): TLSs: Client MUST present valid > certificate > > Jan 6 15:13:45 Kamailio-Server /usr/sbin/kamailio[32409]: INFO: tls > [tls_domain.c:305]: ksr_tls_fill_missing(): TLSc: tls_method=22 > > Jan 6 15:13:45 Kamailio-Server /usr/sbin/kamailio[32409]: INFO: tls > [tls_domain.c:317]: ksr_tls_fill_missing(): TLSc: > certificate='/etc/kamailio/certificados/certificate.pem' > > Jan 6 15:13:45 Kamailio-Server /usr/sbin/kamailio[32409]: INFO: tls > [tls_domain.c:324]: ksr_tls_fill_missing(): TLSc: ca_list='(null)' > > Jan 6 15:13:45 Kamailio-Server /usr/sbin/kamailio[32409]: INFO: tls > [tls_domain.c:331]: ksr_tls_fill_missing(): TLSc: crl='(null)' > > Jan 6 15:13:45 Kamailio-Server /usr/sbin/kamailio[32409]: INFO: tls > [tls_domain.c:335]: ksr_tls_fill_missing(): TLSc: require_certificate=1 > > Jan 6 15:13:45 Kamailio-Server /usr/sbin/kamailio[32409]: INFO: tls > [tls_domain.c:342]: ksr_tls_fill_missing(): TLSc: cipher_list='(null)' > > Jan 6 15:13:45 Kamailio-Server /usr/sbin/kamailio[32409]: INFO: tls > [tls_domain.c:349]: ksr_tls_fill_missing(): TLSc: > private_key='/etc/kamailio/certificados/private-key.pem' > > Jan 6 15:13:45 Kamailio-Server /usr/sbin/kamailio[32409]: INFO: tls > [tls_domain.c:353]: ksr_tls_fill_missing(): TLSc: verify_certificate=1 > > Jan 6 15:13:45 Kamailio-Server /usr/sbin/kamailio[32409]: INFO: tls > [tls_domain.c:356]: ksr_tls_fill_missing(): TLSc: verify_depth=9 > > Jan 6 15:13:45 Kamailio-Server /usr/sbin/kamailio[32409]: INFO: tls > [tls_domain.c:359]: ksr_tls_fill_missing(): TLSc: verify_client=0 > > Jan 6 15:13:45 Kamailio-Server /usr/sbin/kamailio[32409]: INFO: tls > [tls_domain.c:697]: set_verification(): TLSc: Server MUST present valid > certificate > > Jan 6 15:13:45 Kamailio-Server /usr/sbin/kamailio[32422]: INFO: jsonrpcs > [jsonrpcs_sock.c:443]: jsonrpc_dgram_process(): a new child 0/32422 > > Jan 6 15:13:45 Kamailio-Server /usr/sbin/kamailio[32424]: INFO: ctl > [io_listener.c:214]: io_listen_loop(): io_listen_loop: using epoll_lt io > watch method (config) > > Jan 6 15:13:55 Kamailio-Server /usr/sbin/kamailio[32425]: ERROR: tls > [tls_server.c:1283]: tls_h_read_f(): protocol level error > > Jan 6 15:13:55 Kamailio-Server /usr/sbin/kamailio[32425]: ERROR: tls > [tls_util.h:42]: tls_err_ret(): TLS write:error:14090086:SSL > routines:ssl3_get_server_certificate:certificate verify failed > > Jan 6 15:13:55 Kamailio-Server /usr/sbin/kamailio[32425]: ERROR: tls > [tls_server.c:1287]: tls_h_read_f(): source IP: 52.114.75.24 > > Jan 6 15:13:55 Kamailio-Server /usr/sbin/kamailio[32425]: ERROR: tls > [tls_server.c:1290]: tls_h_read_f(): destination IP: 161.35.44.66 > > Jan 6 15:13:55 Kamailio-Server /usr/sbin/kamailio[32425]: ERROR: > [core/tcp_read.c:1493]: tcp_read_req(): ERROR: tcp_read_req: error reading - > c: 0x7f45242be028 r: 0x7f45242be150 (-1) > > Jan 6 15:13:55 Kamailio-Server /usr/sbin/kamailio[32426]: ERROR: tls > [tls_server.c:1283]: tls_h_read_f(): protocol level error > > Jan 6 15:13:55 Kamailio-Server /usr/sbin/kamailio[32426]: ERROR: tls > [tls_util.h:42]: tls_err_ret(): TLS write:error:14090086:SSL > routines:ssl3_get_server_certificate:certificate verify failed > > Jan 6 15:13:55 Kamailio-Server /usr/sbin/kamailio[32426]: ERROR: tls > [tls_server.c:1287]: tls_h_read_f(): source IP: 52.114.132.46 > > Jan 6 15:13:55 Kamailio-Server /usr/sbin/kamailio[32426]: ERROR: tls > [tls_server.c:1290]: tls_h_read_f(): destination IP: 161.35.44.66 > > Jan 6 15:13:55 Kamailio-Server /usr/sbin/kamailio[32426]: ERROR: > [core/tcp_read.c:1493]: tcp_read_req(): ERROR: tcp_read_req: error reading - > c: 0x7f45242d9278 r: 0x7f45242d93a0 (-1) > > Jan 6 15:13:55 Kamailio-Server /usr/sbin/kamailio[32427]: ERROR: tls > [tls_server.c:1283]: tls_h_read_f(): protocol level error > > Jan 6 15:13:55 Kamailio-Server /usr/sbin/kamailio[32427]: ERROR: tls > [tls_util.h:42]: tls_err_ret(): TLS write:error:14090086:SSL > routines:ssl3_get_server_certificate:certificate verify failed > > Jan 6 15:13:55 Kamailio-Server /usr/sbin/kamailio[32427]: ERROR: tls > [tls_server.c:1287]: tls_h_read_f(): source IP: 52.114.14.70 > > Jan 6 15:13:55 Kamailio-Server /usr/sbin/kamailio[32427]: ERROR: tls > [tls_server.c:1290]: tls_h_read_f(): destination IP: 161.35.44.66 > > Jan 6 15:13:55 Kamailio-Server /usr/sbin/kamailio[32427]: ERROR: > [core/tcp_read.c:1493]: tcp_read_req(): ERROR: tcp_read_req: error reading - > c: 0x7f45242be028 r: 0x7f45242be150 (-1) > > > > Could you help me identify the problem please. > > > > Cheers > > > > Saludos Cordiales > > -- > > Willy Valles Rios > > Unified Communications Specialist > > > > phone: +51955747343 > > em@il: willyvalle...@gmail.com > > > > _______________________________________________ > > Kamailio (SER) - Users Mailing List > > sr-users@lists.kamailio.org > > https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users > > -- > > Daniel-Constantin Mierla -- www.asipto.com > > www.twitter.com/miconda -- www.linkedin.com/in/miconda > > Funding: https://www.paypal.me/dcmierla > > _______________________________________________ > Kamailio (SER) - Users Mailing List > sr-users@lists.kamailio.org > https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users -- VoIP Embedded, Inc. http://www.voipembedded.com _______________________________________________ Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users