[OpenSIPS-Users] OpenSIPS 3- TLS MGM unable to get local issuer certificate [error=20]

Sharad Kumar voip.security at protonmail.com
Sat Feb 22 02:33:23 EST 2020


Hey guys,

I am struggling to make OpenSIPS 3 work with TLS. I tried various different ways to make this work but getting the same errors. SSL certs are generated via let's encrypt. Here is my config for tls_mgm module -

#### TLS Management Module
loadmodule "tls_mgm.so"
# Server defination
modparam("tls_mgm", "server_domain", "voip.securevoip.io")
modparam("tls_mgm", "match_ip_address", "[voip.securevoip.io]155.138.204.212:5061")
modparam("tls_mgm", "match_sip_domain", "[voip.securevoip.io]*")
modparam("tls_mgm", "ca_dir", "[voip.securevoip.io]/usr/local/etc/opensips/tls/")
modparam("tls_mgm","verify_cert", "[voip.securevoip.io]1")
modparam("tls_mgm","require_cert", "[voip.securevoip.io]1")
modparam("tls_mgm","tls_method", "[voip.securevoip.io]TLSv1_2")
modparam("tls_mgm","certificate", "[voip.securevoip.io]/usr/local/etc/opensips/tls/cert.pem")
modparam("tls_mgm","private_key", "[voip.securevoip.io]/usr/local/etc/opensips/tls/privkey.pem")
modparam("tls_mgm","ca_list", "[voip.securevoip.io]/usr/local/etc/opensips/tls/fullchain.pem")
modparam("tls_mgm", "tls_handshake_timeout", 300)
# Client domain defination
modparam("tls_mgm", "client_domain", "securevoip.io")
modparam("tls_mgm", "match_ip_address", "[securevoip.io]*")
modparam("tls_mgm", "match_sip_domain", "[securevoip.io]*")
modparam("tls_mgm", "ca_dir", "[securevoip.io]/usr/local/etc/opensips/tls/")
modparam("tls_mgm","verify_cert", "[securevoip.io]1")
modparam("tls_mgm","require_cert", "[securevoip.io]1")
modparam("tls_mgm","tls_method", "[securevoip.io]TLSv1_2")
modparam("tls_mgm","certificate", "[securevoip.io]/usr/local/etc/opensips/tls/cert.pem")
modparam("tls_mgm","private_key", "[securevoip.io]/usr/local/etc/opensips/tls/privkey.pem")

I am getting these erros -
Feb 22 02:25:26 opensips3-SBC /usr/local/sbin/opensips[1538]: NOTICE:tls_mgm:verify_callback: depth = 1, verify failure
Feb 22 02:25:26 opensips3-SBC /usr/local/sbin/opensips[1538]: NOTICE:tls_mgm:verify_callback: subject = /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/OU=Microsoft IT/CN=Microsoft IT TLS CA 4
Feb 22 02:25:26 opensips3-SBC /usr/local/sbin/opensips[1538]: NOTICE:tls_mgm:verify_callback: issuer  = /C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
Feb 22 02:25:26 opensips3-SBC /usr/local/sbin/opensips[1538]: NOTICE:tls_mgm:verify_callback: verify error: unable to get local issuer certificate [error=20]
Feb 22 02:25:26 opensips3-SBC /usr/local/sbin/opensips[1538]: ERROR:proto_tls:tls_connect: New TLS connection to 52.114.132.46:5061 failed
Feb 22 02:25:26 opensips3-SBC /usr/local/sbin/opensips[1538]: ERROR:proto_tls:tls_connect: TLS error: 1 (ret=-1) err=Success(0)
Feb 22 02:25:26 opensips3-SBC /usr/local/sbin/opensips[1538]: ERROR:proto_tls:tls_print_errstack: TLS errstack: error:1416F086:SSL routines:tls_process_server_certificate:certificate verif

I would really appreciate if someone can help me out here.

Thank you
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20200222/2f76961e/attachment.html>


More information about the Users mailing list