[OpenSIPS-Users] OpenSIPS 3- TLS MGM unable to get local issuer certificate [error=20]
Răzvan Crainea
razvan at opensips.org
Tue Mar 3 09:08:21 EST 2020
Hi, Sharad!
Only the server's certificate should be generated by letsencrypt. All
the client's certificates should be generated by you and signed with the
letsencrypt certificate.
If you want your clients to have their own letsencrypt certificate,
you'll have to put the LetsEncrypt certificates in the Certificate
Authority fields "ca_list" and/or "ca_dir" parameters.
Best regards,
Răzvan
On 2/22/20 4:33 AM, Sharad Kumar via Users wrote:
> Hey guys,
>
> I am struggling to make OpenSIPS 3 work with TLS. I tried various
> different ways to make this work but getting the same errors. SSL certs
> are generated via let's encrypt. Here is my config for tls_mgm module -
>
>
>
> #### TLS Management Module
> loadmodule "tls_mgm.so"
> # Server defination
> modparam("tls_mgm", "server_domain", "voip.securevoip.io")
> modparam("tls_mgm", "match_ip_address",
> "[voip.securevoip.io]155.138.204.212:5061")
> modparam("tls_mgm", "match_sip_domain", "[voip.securevoip.io]*")
> modparam("tls_mgm", "ca_dir",
> "[voip.securevoip.io]/usr/local/etc/opensips/tls/")
> modparam("tls_mgm","verify_cert", "[voip.securevoip.io]1")
> modparam("tls_mgm","require_cert", "[voip.securevoip.io]1")
> modparam("tls_mgm","tls_method", "[voip.securevoip.io]TLSv1_2")
> modparam("tls_mgm","certificate",
> "[voip.securevoip.io]/usr/local/etc/opensips/tls/cert.pem")
> modparam("tls_mgm","private_key",
> "[voip.securevoip.io]/usr/local/etc/opensips/tls/privkey.pem")
> modparam("tls_mgm","ca_list",
> "[voip.securevoip.io]/usr/local/etc/opensips/tls/fullchain.pem")
> modparam("tls_mgm", "tls_handshake_timeout", 300)
> # Client domain defination
> modparam("tls_mgm", "client_domain", "securevoip.io")
> modparam("tls_mgm", "match_ip_address", "[securevoip.io]*")
> modparam("tls_mgm", "match_sip_domain", "[securevoip.io]*")
> modparam("tls_mgm", "ca_dir", "[securevoip.io]/usr/local/etc/opensips/tls/")
> modparam("tls_mgm","verify_cert", "[securevoip.io]1")
> modparam("tls_mgm","require_cert", "[securevoip.io]1")
> modparam("tls_mgm","tls_method", "[securevoip.io]TLSv1_2")
> modparam("tls_mgm","certificate",
> "[securevoip.io]/usr/local/etc/opensips/tls/cert.pem")
> modparam("tls_mgm","private_key",
> "[securevoip.io]/usr/local/etc/opensips/tls/privkey.pem")
>
> I am getting these erros -
> Feb 22 02:25:26 opensips3-SBC /usr/local/sbin/opensips[1538]:
> NOTICE:tls_mgm:verify_callback: depth = 1, verify failure
> Feb 22 02:25:26 opensips3-SBC /usr/local/sbin/opensips[1538]:
> NOTICE:tls_mgm:verify_callback: subject =
> /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/OU=Microsoft
> IT/CN=Microsoft IT TLS CA 4
> Feb 22 02:25:26 opensips3-SBC /usr/local/sbin/opensips[1538]:
> NOTICE:tls_mgm:verify_callback: issuer =
> /C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
> Feb 22 02:25:26 opensips3-SBC /usr/local/sbin/opensips[1538]:
> NOTICE:tls_mgm:verify_callback: verify error: unable to get local issuer
> certificate [error=20]
> Feb 22 02:25:26 opensips3-SBC /usr/local/sbin/opensips[1538]:
> ERROR:proto_tls:tls_connect: New TLS connection to 52.114.132.46:5061 failed
> Feb 22 02:25:26 opensips3-SBC /usr/local/sbin/opensips[1538]:
> ERROR:proto_tls:tls_connect: TLS error: 1 (ret=-1) err=Success(0)
> Feb 22 02:25:26 opensips3-SBC /usr/local/sbin/opensips[1538]:
> ERROR:proto_tls:tls_print_errstack: TLS errstack: error:1416F086:SSL
> routines:tls_process_server_certificate:certificate verif
>
> I would really appreciate if someone can help me out here.
>
> Thank you
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
--
Răzvan Crainea
OpenSIPS Core Developer
http://www.opensips-solutions.com
More information about the Users
mailing list