Re: [OpenSIPS-Users] Problems reloading TLS certs.

Mon, 24 Nov 2025 02:00:03 -0800 

Hi Ryan,

Thanks for the feedback here, I will take a look at the PR.

Regards,

Bogdan-Andrei Iancu

OpenSIPS Founder and Developer
  https://www.opensips-solutions.com
  https://www.siphub.com

On 20.11.2025 21:36, Ryan Bullock wrote:

Hey Bogdan-Andrei,
Yeah, we have that patchset running on our 3.6 builds and it looks good. Tested concurrent reloads against concurrent inbound connections without issue.
Like I mentioned in the pull request, I don't have database provisioned tls domains to double check for regressions in that scenario. If someone using database base provisioning could try it out it would be great. Happy to fix any issues reported.
On Thu, Nov 20, 2025 at 2:29 AM Bogdan-Andrei Iancu <[email protected]> wrote: 

    Hi Ryan,

    Should I understand the version here
    https://github.com/OpenSIPS/opensips/pull/3760 is quite some
    final, working one ?

    Regards,

    Bogdan-Andrei Iancu

    OpenSIPS Founder and Developer
       https://www.opensips-solutions.com
       https://www.siphub.com

    On 15.11.2025 01:07, Ryan Bullock wrote:

    Initial testing looks ok. You can see the patchset here
    https://github.com/rrb3942/opensips/tree/tls_mgm_reload


    On Thu, Nov 13, 2025 at 3:56 PM Matthew Schumacher
    <[email protected]> wrote:

        That’s helpful.  If you message me the patch when you have
        it, I can help test.


        On Nov 13, 2025, at 9:39 AM, Ryan Bullock
        <[email protected]> wrote:

        
        Hey Matt,

        OpenSIPs currently only supports tls_reload for domains
        managed in a database. Coincidentally I started a patch set
        earlier this week to allow reloading the keys, certificates,
        etc for domains defined in the config script. No ETA on a
        pull request yet, it is still in testing mode.

        On Wed, Nov 12, 2025 at 10:00 PM Matthew Schumacher
        <[email protected]> wrote:

            Hello All,

            I have a 3.2 server where I can't reload certs.  Is this
            because I'm not
            storing the certs in a database?  How can I work around
            this? The server
            is never idle enough for me to restart and my cert
            expires in a few
            days.  Am I forced to kick people off to restart? Also,
            is there a way
            to tell opensips to not accept any new calls? I'm not
            sure how much that
            will help, but it would be good to know.

            Thanks!


            root@sbc:/etc/opensips# opensips-cli -f
            /etc/opensips/opensips-cli.cfg
            -x mi tls_reload
            ERROR: command 'tls_reload' returned: 500: DB url not set

            root@sbc:/etc/opensips# opensips-cli -f
            /etc/opensips/opensips-cli.cfg
            -x mi tls_list
            {
                 "Domains": [
                     {
                         "name": "client",
                         "type": "TLS_DOMAIN_CLI",
                         "IP ADDRESS FILTERS": [
                             "*"
                         ],
                         "SIP DOMAIN FILTERS": [
                             "*"
                         ],
                         "METHOD": "TLSv1_2",
                         "VERIFY_CERT": true,
                         "REQ_CLI_CERT": false,
                         "CRL_CHECKALL": false,
                         "CERT_FILE":
            "/etc/ssl/certs/siptrunk_domain_net.crt",
                         "CRL_DIR": "",
                         "CA_FILE":
            "/etc/ssl/certs/ca-certificates.crt",
                         "CA_DIR": "/etc/pki/CA/",
                         "PKEY_FILE":
            "/etc/ssl/certs/siptrunk_domain_net.key",
                         "CIPHER_LIST": "",
                         "DH_PARAMS_FILE": "",
                         "EC_CURVE": ""
                     },
                     {
                         "name": "server",
                         "type": "TLS_DOMAIN_SRV",
                         "IP ADDRESS FILTERS": [
                             "x.x.x.x:5061",
                             "y.y.y.y:5061"
                         ],
                         "SIP DOMAIN FILTERS": [
                             "*"
                         ],
                         "METHOD": "TLSv1_2",
                         "VERIFY_CERT": false,
                         "REQ_CLI_CERT": true,
                         "CRL_CHECKALL": false,
                         "CERT_FILE":
            "/etc/ssl/certs/siptrunk_domain_net.crt",
                         "CRL_DIR": "",
                         "CA_FILE":
            "/etc/ssl/certs/ca-certificates.crt",
                         "CA_DIR": "/etc/pki/CA/",
                         "PKEY_FILE":
            "/etc/ssl/certs/siptrunk_domain_net.key",
                         "CIPHER_LIST": "ALL:!aNULL:!eNULL:!MD5:!RC4",
                         "DH_PARAMS_FILE": "",
                         "EC_CURVE": ""
                     }
                 ]
            }

            _______________________________________________
            Users mailing list
            [email protected]
            http://lists.opensips.org/cgi-bin/mailman/listinfo/users

        _______________________________________________
        Users mailing list
        [email protected]
        http://lists.opensips.org/cgi-bin/mailman/listinfo/users

        _______________________________________________
        Users mailing list
        [email protected]
        http://lists.opensips.org/cgi-bin/mailman/listinfo/users


    _______________________________________________
    Users mailing list
    [email protected]
    http://lists.opensips.org/cgi-bin/mailman/listinfo/users



_______________________________________________
Users mailing list
[email protected]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

Reply via email to