Project

General

Profile

Let'sEncrypt SSL port 4443

Added by Mo Zoubi about 5 years ago

Hello,

I need some help to configure the /etc/kamailio/tls.cfg to read my Let'sEncrypt SSL certificate.

Right now, it works (but insecurely so only in Firefox since I can allow an exception for the self signed cert)
Here's the tls.cfg file:

[root@x32 ~]# sudo vi /etc/kamailio/tls.cfg
#
# $Id$
#
# Example Kamailio TLS Configuration File
#

# This is the default server domain, settings
# in this domain will be used for all incoming
# connections that do not match any other server
# domain in this configuration file.
#
# We do not enable anything else than TLSv1
# over the public internet. Clients do not have
# to present client certificates by default.
#
[server:default]
method = TLSv1
verify_certificate = no
require_certificate = no
private_key = /etc/pki/tls/private/localhost.key
certificate = /etc/pki/tls/certs/localhost.crt

#ca_list = /etc/letsencrypt/live/mysite.com/chain.pem
#ca_list = /etc/letsencrypt/live/mysite.com/fullchain.pem
#crl = ./modules/tls/crl.pem

# This is the default client domain, settings
# in this domain will be used for all outgoing
# TLS connections that do not match any other
# client domain in this configuration file.
# We require that servers present valid certificate.
#
[client:default]
verify_certificate = no
require_certificate = no

# This is an example server domain for TLS connections
# received from the loopback interface. We allow
# the use of SSLv2 and SSLv3 protocols here, we do
# not require that clients present client certificates
# but if they present it it must be valid. We also use
# a special certificate and CA list for loopback
# interface.
#
#[server:127.0.0.1:5061]
#method = SSLv23
#verify_certificate = yes
#require_certificate = no
#private_key = /etc/letsencrypt/live/mysite.com/privkey.pem
#certificate = /etc/letsencrypt/live/mysite.com/cert.pem
#verify_depth = 3
#ca_list = local_ca.pem
#crl = local_crl.pem

# Special settings for the iptel.org public SIP
# server. We do not verify the certificate of the
# server because it can be expired. The server
# implements authentication using SSL client
# certificates so configure the client certificate
# that was given to use by iptel.org staff here.

So, it's using a self signed certificate and not trusting the CA Authority on most browsers. I tried to edit it to the following:

[root@x32 ~]# sudo vi /etc/kamailio/tls.cfg
#
# $Id$
#
# Example Kamailio TLS Configuration File
#

# This is the default server domain, settings
# in this domain will be used for all incoming
# connections that do not match any other server
# domain in this configuration file.
#
# We do not enable anything else than TLSv1
# over the public internet. Clients do not have
# to present client certificates by default.
#
[server:default]
method = TLSv1
verify_certificate = no
require_certificate = no
private_key = /etc/letsencrypt/live/mysite.com/privkey.pem
certificate = /etc/letsencrypt/live/mysite.com/fullchain.pem

#ca_list = /etc/letsencrypt/live/mysite.com/chain.pem
#ca_list = /etc/letsencrypt/live/mysite.com/fullchain.pem
#crl = ./modules/tls/crl.pem

# This is the default client domain, settings
# in this domain will be used for all outgoing
# TLS connections that do not match any other
# client domain in this configuration file.
# We require that servers present valid certificate.
#
[client:default]
verify_certificate = no
require_certificate = no

# This is an example server domain for TLS connections
# received from the loopback interface. We allow
# the use of SSLv2 and SSLv3 protocols here, we do
# not require that clients present client certificates
# but if they present it it must be valid. We also use
# a special certificate and CA list for loopback
# interface.
#
#[server:127.0.0.1:5061]
#method = SSLv23
#verify_certificate = yes
#require_certificate = no
#private_key = /etc/letsencrypt/live/mysite.com/privkey.pem
#certificate = /etc/letsencrypt/live/mysite.com/cert.pem
#verify_depth = 3
#ca_list = local_ca.pem
#crl = local_crl.pem

# Special settings for the iptel.org public SIP
# server. We do not verify the certificate of the
# server because it can be expired. The server
# implements authentication using SSL client
# certificates so configure the client certificate
# that was given to use by iptel.org staff here.


However, once I restart Kamailio - it will fail. So, I revert back to the previous file (with the self signed cert) and GAD4 works fine.
HOW CAN I CONFIGURE TLS.CFG TO WORK WITH MY L/E CERT??

Replies (2)

RE: Let'sEncrypt SSL port 4443 - Added by Mo Zoubi about 5 years ago

Thank you for your reply.
However, I'm unable to replace localhost.crt with Let's Encrypt Certificate because the file extension is different. It's .PEM and not .CRT or .KEY

I tried to convert and replace using
openssl rsa -outform der -in privkey.pem -out localhost.key
and
openssl x509 -outform der -in fullchain.pem -out localhost.crt

but that does not work. I guess Let's Encrypt is not suitable for GAD4

    (1-2/2)
    Go to top