Project

General

Profile

Let'sEncrypt SSL port 4443

Added by Mo Zoubi 19 days ago

Hello,

I need some help to configure the /etc/kamailio/tls.cfg to read my Let'sEncrypt SSL certificate.

Right now, it works (but insecurely so only in Firefox since I can allow an exception for the self signed cert)
Here's the tls.cfg file:

[root@x32 ~]# sudo vi /etc/kamailio/tls.cfg
#
# $Id$
#
# Example Kamailio TLS Configuration File
#

# This is the default server domain, settings
# in this domain will be used for all incoming
# connections that do not match any other server
# domain in this configuration file.
#
# We do not enable anything else than TLSv1
# over the public internet. Clients do not have
# to present client certificates by default.
#
[server:default]
method = TLSv1
verify_certificate = no
require_certificate = no
private_key = /etc/pki/tls/private/localhost.key
certificate = /etc/pki/tls/certs/localhost.crt

#ca_list = /etc/letsencrypt/live/mysite.com/chain.pem
#ca_list = /etc/letsencrypt/live/mysite.com/fullchain.pem
#crl = ./modules/tls/crl.pem

# This is the default client domain, settings
# in this domain will be used for all outgoing
# TLS connections that do not match any other
# client domain in this configuration file.
# We require that servers present valid certificate.
#
[client:default]
verify_certificate = no
require_certificate = no

# This is an example server domain for TLS connections
# received from the loopback interface. We allow
# the use of SSLv2 and SSLv3 protocols here, we do
# not require that clients present client certificates
# but if they present it it must be valid. We also use
# a special certificate and CA list for loopback
# interface.
#
#[server:127.0.0.1:5061]
#method = SSLv23
#verify_certificate = yes
#require_certificate = no
#private_key = /etc/letsencrypt/live/mysite.com/privkey.pem
#certificate = /etc/letsencrypt/live/mysite.com/cert.pem
#verify_depth = 3
#ca_list = local_ca.pem
#crl = local_crl.pem

# Special settings for the iptel.org public SIP
# server. We do not verify the certificate of the
# server because it can be expired. The server
# implements authentication using SSL client
# certificates so configure the client certificate
# that was given to use by iptel.org staff here.

So, it's using a self signed certificate and not trusting the CA Authority on most browsers. I tried to edit it to the following:

[root@x32 ~]# sudo vi /etc/kamailio/tls.cfg
#
# $Id$
#
# Example Kamailio TLS Configuration File
#

# This is the default server domain, settings
# in this domain will be used for all incoming
# connections that do not match any other server
# domain in this configuration file.
#
# We do not enable anything else than TLSv1
# over the public internet. Clients do not have
# to present client certificates by default.
#
[server:default]
method = TLSv1
verify_certificate = no
require_certificate = no
private_key = /etc/letsencrypt/live/mysite.com/privkey.pem
certificate = /etc/letsencrypt/live/mysite.com/fullchain.pem

#ca_list = /etc/letsencrypt/live/mysite.com/chain.pem
#ca_list = /etc/letsencrypt/live/mysite.com/fullchain.pem
#crl = ./modules/tls/crl.pem

# This is the default client domain, settings
# in this domain will be used for all outgoing
# TLS connections that do not match any other
# client domain in this configuration file.
# We require that servers present valid certificate.
#
[client:default]
verify_certificate = no
require_certificate = no

# This is an example server domain for TLS connections
# received from the loopback interface. We allow
# the use of SSLv2 and SSLv3 protocols here, we do
# not require that clients present client certificates
# but if they present it it must be valid. We also use
# a special certificate and CA list for loopback
# interface.
#
#[server:127.0.0.1:5061]
#method = SSLv23
#verify_certificate = yes
#require_certificate = no
#private_key = /etc/letsencrypt/live/mysite.com/privkey.pem
#certificate = /etc/letsencrypt/live/mysite.com/cert.pem
#verify_depth = 3
#ca_list = local_ca.pem
#crl = local_crl.pem

# Special settings for the iptel.org public SIP
# server. We do not verify the certificate of the
# server because it can be expired. The server
# implements authentication using SSL client
# certificates so configure the client certificate
# that was given to use by iptel.org staff here.


However, once I restart Kamailio - it will fail. So, I revert back to the previous file (with the self signed cert) and GAD4 works fine.
HOW CAN I CONFIGURE TLS.CFG TO WORK WITH MY L/E CERT??

Replies (2)

RE: Let'sEncrypt SSL port 4443 - Added by Mo Zoubi 17 days ago

Thank you for your reply.
However, I'm unable to replace localhost.crt with Let's Encrypt Certificate because the file extension is different. It's .PEM and not .CRT or .KEY

I tried to convert and replace using
openssl rsa -outform der -in privkey.pem -out localhost.key
and
openssl x509 -outform der -in fullchain.pem -out localhost.crt

but that does not work. I guess Let's Encrypt is not suitable for GAD4

    (1-2/2)
    Go to top