[OpenSIPS-Users] Using LetsEncrypt certs with v2.4

John Quick john.quick at smartvox.co.uk
Wed Aug 1 11:55:13 EDT 2018 

Hi Bogdan,

Thanks for your response to my earlier query.
I’m now trying to convert from modparam based definitions to provisioning
certs from the DB.
I cannot find a published example of a populated DB record in the tls_mgm
table.
Furthermore, the online documentation has gaps regarding DB Provisioning and
it also contains this error:
Section 1.7.14 describes a parameter db_mode, but if you try adding this it
generates an error "parameter <db_mode> not found in module"

Can you please help with an example record or at least answer these
questions:
a) What to put in the 'domain' field if I only want to set up one default
domain. Should it be "default"?
b) What are the following fields. I am not sure what they should contain:
'address', 'type', 'crl_check_all', 'crl_dir'
c) How does provisioning from DB interact with provisioning from static
modparam values?
I got errors when I commented out modparam statements for "certificate" and
"private_key" because the module was still looking for the "default" files,
even though I am now provisioning from the DB. This means there is now
ambiguity - certificates are defined both in files in modparam and also in
blob fields in the DB.

I assume the blob fields 'certificate', 'private_key' and 'ca_list' must
contain the contents of the certificate, not the path to the file.
This means I'll need to write a script to copy these data from the renewed
LetsEncrypt certificates before issuing the MI reload command.

By the way, the online module documentation for tls_mgm has a duplicate
section - 1.7.18 is same as 1.7.19

John Quick
Smartvox Limited
      

> Bogdan-Andrei Iancu bogdan at opensips.org 
> Thu Jul 26 07:56:18 EDT 2018
> Hi John, When the cert is configured via modparam, the cert is loaded on
startup by OpenSIPS, so any renewal of the cert will have 0 impact on
OpenSIPS - so you will have to restart after each renewal.
> I suggest you to provision the certs via DB (and not script), so you can
do a reload after renewal, with any need to restart opensips.
> Regards, Bogdan-Andrei Iancu

More information about the Users mailing list