[OpenSIPS-Users] Problems reloading TLS certs.

Ryan Bullock rrb3942 at gmail.com
Fri Nov 14 23:07:43 UTC 2025 

Initial testing looks ok. You can see the patchset here
https://github.com/rrb3942/opensips/tree/tls_mgm_reload


On Thu, Nov 13, 2025 at 3:56 PM Matthew Schumacher <schu at schu.net> wrote:

> That’s helpful.  If you message me the patch when you have it, I can help
> test.
>
> On Nov 13, 2025, at 9:39 AM, Ryan Bullock <rrb3942 at gmail.com> wrote:
>
> 
> Hey Matt,
>
> OpenSIPs currently only supports tls_reload for domains managed in a
> database. Coincidentally I started a patch set earlier this week to allow
> reloading the keys, certificates, etc for domains defined in the config
> script. No ETA on a pull request yet, it is still in testing mode.
>
> On Wed, Nov 12, 2025 at 10:00 PM Matthew Schumacher <schu at schu.net> wrote:
>
>> Hello All,
>>
>> I have a 3.2 server where I can't reload certs.  Is this because I'm not
>> storing the certs in a database?  How can I work around this? The server
>> is never idle enough for me to restart and my cert expires in a few
>> days.  Am I forced to kick people off to restart? Also, is there a way
>> to tell opensips to not accept any new calls? I'm not sure how much that
>> will help, but it would be good to know.
>>
>> Thanks!
>>
>>
>> root at sbc:/etc/opensips# opensips-cli -f /etc/opensips/opensips-cli.cfg
>> -x mi tls_reload
>> ERROR: command 'tls_reload' returned: 500: DB url not set
>>
>> root at sbc:/etc/opensips# opensips-cli -f /etc/opensips/opensips-cli.cfg
>> -x mi tls_list
>> {
>>      "Domains": [
>>          {
>>              "name": "client",
>>              "type": "TLS_DOMAIN_CLI",
>>              "IP ADDRESS FILTERS": [
>>                  "*"
>>              ],
>>              "SIP DOMAIN FILTERS": [
>>                  "*"
>>              ],
>>              "METHOD": "TLSv1_2",
>>              "VERIFY_CERT": true,
>>              "REQ_CLI_CERT": false,
>>              "CRL_CHECKALL": false,
>>              "CERT_FILE": "/etc/ssl/certs/siptrunk_domain_net.crt",
>>              "CRL_DIR": "",
>>              "CA_FILE": "/etc/ssl/certs/ca-certificates.crt",
>>              "CA_DIR": "/etc/pki/CA/",
>>              "PKEY_FILE": "/etc/ssl/certs/siptrunk_domain_net.key",
>>              "CIPHER_LIST": "",
>>              "DH_PARAMS_FILE": "",
>>              "EC_CURVE": ""
>>          },
>>          {
>>              "name": "server",
>>              "type": "TLS_DOMAIN_SRV",
>>              "IP ADDRESS FILTERS": [
>>                  "x.x.x.x:5061",
>>                  "y.y.y.y:5061"
>>              ],
>>              "SIP DOMAIN FILTERS": [
>>                  "*"
>>              ],
>>              "METHOD": "TLSv1_2",
>>              "VERIFY_CERT": false,
>>              "REQ_CLI_CERT": true,
>>              "CRL_CHECKALL": false,
>>              "CERT_FILE": "/etc/ssl/certs/siptrunk_domain_net.crt",
>>              "CRL_DIR": "",
>>              "CA_FILE": "/etc/ssl/certs/ca-certificates.crt",
>>              "CA_DIR": "/etc/pki/CA/",
>>              "PKEY_FILE": "/etc/ssl/certs/siptrunk_domain_net.key",
>>              "CIPHER_LIST": "ALL:!aNULL:!eNULL:!MD5:!RC4",
>>              "DH_PARAMS_FILE": "",
>>              "EC_CURVE": ""
>>          }
>>      ]
>> }
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.opensips.org
>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20251114/32453d23/attachment.html>

More information about the Users mailing list