[OpenSIPS-Users] Using LetsEncrypt certs with v2.4

Vlad Patrascu vladp at opensips.org
Tue Aug 7 07:55:41 EDT 2018 

Hi John,

You are probably looking over the documentation for the wrong OpenSIPS 
version. The issues that you've mentioned appear in the 2.2 docs.

The 2.4 docs should mostly cover your questions, but nevertheless:

a) The domain field is only an identifier for the virtual TLS domain, 
but for default domains, indeed there is a special value, 'default'.

b) * address - same meaning as the IP:port part of the 'server_domain' 
parameter

     * type - TLS client(1) or server(2) domain and 0 for defining both 
a client and server default domain with the same attributes

     * crl_check_all - check all files in the 'crl_dir'

     * crl_dir - path to directory containing Certificate Revocation Lists

c) Both DB and script domains can be defined at the same time, but they 
should be seen as different sets of domains, so you should set a 
modparam only for a script defined domain.

The blob database fields indeed should contain the contents of the 
certificates.

Regards,

Vlad Patrascu
OpenSIPS Developer
http://www.opensips-solutions.com

On 08/01/2018 06:55 PM, John Quick wrote:
> Hi Bogdan,
>
> Thanks for your response to my earlier query.
> I’m now trying to convert from modparam based definitions to provisioning
> certs from the DB.
> I cannot find a published example of a populated DB record in the tls_mgm
> table.
> Furthermore, the online documentation has gaps regarding DB Provisioning and
> it also contains this error:
> Section 1.7.14 describes a parameter db_mode, but if you try adding this it
> generates an error "parameter <db_mode> not found in module"
>
> Can you please help with an example record or at least answer these
> questions:
> a) What to put in the 'domain' field if I only want to set up one default
> domain. Should it be "default"?
> b) What are the following fields. I am not sure what they should contain:
> 'address', 'type', 'crl_check_all', 'crl_dir'
> c) How does provisioning from DB interact with provisioning from static
> modparam values?
> I got errors when I commented out modparam statements for "certificate" and
> "private_key" because the module was still looking for the "default" files,
> even though I am now provisioning from the DB. This means there is now
> ambiguity - certificates are defined both in files in modparam and also in
> blob fields in the DB.
>
> I assume the blob fields 'certificate', 'private_key' and 'ca_list' must
> contain the contents of the certificate, not the path to the file.
> This means I'll need to write a script to copy these data from the renewed
> LetsEncrypt certificates before issuing the MI reload command.
>
> By the way, the online module documentation for tls_mgm has a duplicate
> section - 1.7.18 is same as 1.7.19
>
> John Quick
> Smartvox Limited
>        
>
>> Bogdan-Andrei Iancu bogdan at opensips.org
>> Thu Jul 26 07:56:18 EDT 2018
>> Hi John, When the cert is configured via modparam, the cert is loaded on
> startup by OpenSIPS, so any renewal of the cert will have 0 impact on
> OpenSIPS - so you will have to restart after each renewal.
>> I suggest you to provision the certs via DB (and not script), so you can
> do a reload after renewal, with any need to restart opensips.
>> Regards, Bogdan-Andrei Iancu
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20180807/c4ca9283/attachment.html>

More information about the Users mailing list