<div dir="ltr"><div dir="ltr">Hi Vlad/all<br><div><br></div><div>Sure (sanitized)</div><div><br></div><div><div>Nov 13 15:35:04 [175814] DBG:core:load_module: loading module /usr/local/lib64/opensips/modules/tls_mgm.so</div><div>Nov 13 15:35:04 [175814] INFO:tls_mgm:mod_load: openssl version: OpenSSL 1.1.1f 31 Mar 2020</div><div>Nov 13 15:35:04 [175814] DBG:core:register_module: register_pv: tls_mgm</div><div>Nov 13 15:35:04 [175814] DBG:core:set_mod_param_regex: tls_mgm matches module tls_mgm</div><div>Nov 13 15:35:04 [175814] DBG:core:set_mod_param_regex: found <certificate> in module tls_mgm [/usr/local/lib64/opensips/modules/]</div><div>Nov 13 15:35:04 [175814] ERROR:tls_mgm:tlsp_set_certificate: TLS domain [<a href="http://my.domain.com">my.domain.com</a>] not defined in '[<a href="http://my.domain.com">my.domain.com</a>]/usr/local/etc/opensips/tls/my_domain_com.pem'</div><div>Nov 13 15:35:04 [175814] Traceback (last included file at the bottom):</div><div>Nov 13 15:35:04 [175814] 0. /usr/local//etc/opensips/opensips.cfg</div><div>Nov 13 15:35:04 [175814] CRITICAL:core:yyerror: parse error in /usr/local//etc/opensips/opensips.cfg:191:19-20: Parameter <certificate> not found in module <tls_mgm> - can't set</div><div>Nov 13 15:35:04 [175814] #modparam("tls_mgm", "require_cert", "[dom4]1")</div><div>Nov 13 15:35:04 [175814]</div><div>Nov 13 15:35:04 [175814] modparam("tls_mgm","certificate", "[<a href="http://my.domain.com">my.domain.com</a>]/usr/local/etc/opensips/tls/my_domain_com.pem")</div><div>Nov 13 15:35:04 [175814] ^~</div><div>Nov 13 15:35:04 [175814] modparam("tls_mgm","private_key", "[<a href="http://my.domain.com">my.domain.com</a>]/usr/local/etc/opensips/tls/my_domain_com.key")</div><div>Nov 13 15:35:04 [175814] modparam("tls_mgm","ca_dir", "/etc/ssl/certs")</div><div>Nov 13 15:35:04 [175814] DBG:core:set_mod_param_regex: tls_mgm matches module tls_mgm</div><div>Nov 13 15:35:04 [175814] DBG:core:set_mod_param_regex: found <private_key> in module tls_mgm [/usr/local/lib64/opensips/modules/]</div><div>Nov 13 15:35:04 [175814] ERROR:tls_mgm:tlsp_set_pk: TLS domain [<a href="http://my.domain.com">my.domain.com</a>] not defined in '[<a href="http://my.domain.com">my.domain.com</a>]/usr/local/etc/opensips/tls/my_domain_com.key'</div><div>Nov 13 15:35:04 [175814] CRITICAL:core:yyerror: parse error in /usr/local//etc/opensips/opensips.cfg:192:19-20: Parameter <private_key> not found in module <tls_mgm> - can't set</div><div>Nov 13 15:35:04 [175814] DBG:core:set_mod_param_regex: tls_mgm matches module tls_mgm</div><div>Nov 13 15:35:04 [175814] DBG:core:set_mod_param_regex: found <ca_dir> in module tls_mgm [/usr/local/lib64/opensips/modules/]</div><div>Nov 13 15:35:04 [175814] ERROR:tls_mgm:split_param_val: No TLS domain name</div><div>Nov 13 15:35:04 [175814] CRITICAL:core:yyerror: parse error in /usr/local//etc/opensips/opensips.cfg:193:19-20: Parameter <ca_dir> not found in module <tls_mgm> - can't set</div><div>Nov 13 15:35:04 [175814] DBG:core:set_mod_param_regex: tls_mgm matches module tls_mgm</div><div>Nov 13 15:35:04 [175814] DBG:core:set_mod_param_regex: found <verify_cert> in module tls_mgm [/usr/local/lib64/opensips/modules/]</div><div>Nov 13 15:35:04 [175814] ERROR:tls_mgm:tlsp_set_verify: TLS domain [<a href="http://my.domain.com">my.domain.com</a>] not defined in '[<a href="http://my.domain.com">my.domain.com</a>]1'</div><div>Nov 13 15:35:04 [175814] CRITICAL:core:yyerror: parse error in /usr/local//etc/opensips/opensips.cfg:194:19-20: Parameter <verify_cert> not found in module <tls_mgm> - can't set</div><div>Nov 13 15:35:04 [175814] DBG:core:set_mod_param_regex: tls_mgm matches module tls_mgm</div><div>Nov 13 15:35:04 [175814] DBG:core:set_mod_param_regex: found <require_cert> in module tls_mgm [/usr/local/lib64/opensips/modules/]</div><div>Nov 13 15:35:04 [175814] ERROR:tls_mgm:tlsp_set_require: TLS domain [<a href="http://my.domain.com">my.domain.com</a>] not defined in '[<a href="http://my.domain.com">my.domain.com</a>]1'</div><div>Nov 13 15:35:04 [175814] CRITICAL:core:yyerror: parse error in /usr/local//etc/opensips/opensips.cfg:195:19-20: Parameter <require_cert> not found in module <tls_mgm> - can't set</div><div>Nov 13 15:35:04 [175814] DBG:core:set_mod_param_regex: tls_mgm matches module tls_mgm</div><div>Nov 13 15:35:04 [175814] DBG:core:set_mod_param_regex: found <tls_method> in module tls_mgm [/usr/local/lib64/opensips/modules/]</div><div>Nov 13 15:35:04 [175814] ERROR:tls_mgm:tlsp_set_method: TLS domain [<a href="http://my.domain.com">my.domain.com</a>] not defined in '[<a href="http://my.domain.com">my.domain.com</a>]TLSv1_2'</div><div>Nov 13 15:35:04 [175814] CRITICAL:core:yyerror: parse error in /usr/local//etc/opensips/opensips.cfg:196:19-20: Parameter <tls_method> not found in module <tls_mgm> - can't set</div><div>Nov 13 15:35:04 [175814] DBG:core:set_mod_param_regex: tls_mgm matches module tls_mgm</div><div>Nov 13 15:35:04 [175814] DBG:core:set_mod_param_regex: found <match_sip_domain> in module tls_mgm [/usr/local/lib64/opensips/modules/]</div><div>Nov 13 15:35:04 [175814] ERROR:tls_mgm:split_param_val: No TLS domain name</div><div>Nov 13 15:35:04 [175814] CRITICAL:core:yyerror: parse error in /usr/local//etc/opensips/opensips.cfg:198:20-21: Parameter <match_sip_domain> not found in module <tls_mgm> - can't set</div></div><div><br></div><div><br></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, 16 Nov 2020 at 20:44, Vlad Patrascu <<a href="mailto:vladp@opensips.org">vladp@opensips.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">
<div>
<p>Hi Mark,</p>
<p>Can you post the actual errors that you get in the OpenSIPS logs,
if that is the case?</p>
<p>Regards,</p>
<pre cols="72">--
Vlad Patrascu
OpenSIPS Developer
<a href="http://www.opensips-solutions.com" target="_blank">http://www.opensips-solutions.com</a></pre>
<div>On 16.11.2020 11:04, Mark Farmer wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Good morning all
<div><br>
</div>
<div>Can anyone clarify whether the TLS domain in SAN is
supported or not please?</div>
<div><br>
</div>
<div>Many thanks</div>
<div>Mark.</div>
<div><br>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Fri, 13 Nov 2020 at 15:59,
Kevin Vines <<a href="mailto:kevin.vines@gmail.com" target="_blank">kevin.vines@gmail.com</a>> wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">
<div style="background-color:rgb(255,255,255);line-height:initial">
<div id="gmail-m_-5933645792815903685gmail-m_8643232066864092418response_container_BBPPID" style="outline:none" dir="auto">
<div name="BB10" id="gmail-m_-5933645792815903685gmail-m_8643232066864092418BB10_response_div_BBPPID" dir="auto" style="width:100%"> You got me there... the
doc states</div>
<div name="BB10" id="gmail-m_-5933645792815903685gmail-m_8643232066864092418BB10_response_div_BBPPID" dir="auto" style="width:100%"><br>
</div>
<div name="BB10" id="gmail-m_-5933645792815903685gmail-m_8643232066864092418BB10_response_div_BBPPID" dir="auto" style="width:100%">
<pre style="background-color:rgb(255,255,255);font-size:10pt;font-family:"Courier New",monospace">OpenSIPS offers SIP service for multiple
<span id="gmail-m_-5933645792815903685gmail-m_8643232066864092418l_219" style="color:rgb(85,85,85)"> 219 </span> domains, e.g. <a href="http://atlanta.com" target="_blank">atlanta.com</a> and <a href="http://biloxi.com" target="_blank">biloxi.com</a>. Altough both domains
<span id="gmail-m_-5933645792815903685gmail-m_8643232066864092418l_220" style="color:rgb(85,85,85)"> 220 </span> will be hosted on a single SIP proxy, the SIP proxy needs 2
<span id="gmail-m_-5933645792815903685gmail-m_8643232066864092418l_221" style="color:rgb(85,85,85)"> 221 </span> certificates: One for <a href="http://atlanta.com" target="_blank">atlanta.com</a> and one for <a href="http://biloxi.com" target="_blank">biloxi.com</a>. For
<span id="gmail-m_-5933645792815903685gmail-m_8643232066864092418l_222" style="color:rgb(85,85,85)"> 222 </span> incoming TLS connections</pre>
<pre style="background-color:rgb(255,255,255);font-size:10pt;font-family:"Courier New",monospace"></pre>
<pre style="background-color:rgb(255,255,255);font-size:10pt;font-family:"Courier New",monospace"><span style="font-family:initial;font-size:initial">If you need one cert per domain, maybe it implies that you need to have the domain as the CN instead of a SAN?</span></pre>
<pre style="background-color:rgb(255,255,255);font-size:10pt;font-family:"Courier New",monospace"><span style="font-family:initial;font-size:initial">
</span></pre>
<pre style="background-color:rgb(255,255,255);font-size:10pt;font-family:"Courier New",monospace"><span style="font-family:initial;font-size:initial">Kevin </span></pre>
</div>
</div>
<div id="gmail-m_-5933645792815903685gmail-m_8643232066864092418_original_msg_header_BBPPID" dir="auto">
<table style="border-spacing:0px;display:table;outline:none" width="100%">
<tbody>
<tr>
<td colspan="2" style="font-size:initial;text-align:initial">
<div>
<div id="gmail-m_-5933645792815903685gmail-m_8643232066864092418from"><b>From:</b>
<a href="mailto:farmorg@gmail.com" target="_blank">farmorg@gmail.com</a></div>
<div id="gmail-m_-5933645792815903685gmail-m_8643232066864092418sent"><b>Sent:</b>
November 13, 2020 10:43 a.m.</div>
<div id="gmail-m_-5933645792815903685gmail-m_8643232066864092418to"><b>To:</b>
<a href="mailto:users@lists.opensips.org" target="_blank">users@lists.opensips.org</a></div>
<div id="gmail-m_-5933645792815903685gmail-m_8643232066864092418reply_to"><b>Reply
to:</b> <a href="mailto:users@lists.opensips.org" target="_blank">users@lists.opensips.org</a></div>
<div id="gmail-m_-5933645792815903685gmail-m_8643232066864092418subject"><b>Subject:</b>
Re: [OpenSIPS-Users] Teams TLS Error</div>
</div>
</td>
</tr>
</tbody>
</table>
<br>
</div>
<div name="BB10" dir="auto" style="line-height:initial;outline:none">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">OK so now I have this:<br>
<div><br>
</div>
<div>
<div>modparam("tls_mgm","certificate", "[<a href="http://my.domain.name" target="_blank">my.domain.name</a>]/usr/local/etc/opensips/tls/<a href="http://myCert.pem" target="_blank">myCert.pem</a>")</div>
<div>modparam("tls_mgm","private_key", "[<span style="color:rgb(0,0,0);font-family:-webkit-standard;font-size:medium"><a href="http://my.domain.name" target="_blank">my.domain.name</a></span>]/usr/local/etc/opensips/tls/<a href="http://myKey.key" target="_blank">myKey.key</a>")</div>
<div>modparam("tls_mgm","ca_dir",
"/etc/ssl/certs")</div>
<div>modparam("tls_mgm","verify_cert", "[<span style="color:rgb(0,0,0);font-family:-webkit-standard;font-size:medium"><a href="http://my.domain.name" target="_blank">my.domain.name</a></span>]1")</div>
<div>modparam("tls_mgm","require_cert", "[<span style="color:rgb(0,0,0);font-family:-webkit-standard;font-size:medium"><a href="http://my.domain.name" target="_blank">my.domain.name</a></span>]1")</div>
<div>modparam("tls_mgm","tls_method", "[<span style="color:rgb(0,0,0);font-family:-webkit-standard;font-size:medium"><a href="http://my.domain.name" target="_blank">my.domain.name</a></span>]TLSv1_2")</div>
<div>modparam("tls_mgm",
"match_sip_domain", "<span style="color:rgb(0,0,0);font-family:-webkit-standard;font-size:medium"><a href="http://my.domain.name" target="_blank">my.domain.name</a></span>")</div>
</div>
<div><br>
</div>
<div>But now it claims that <a href="http://my.domain.name" target="_blank">my.domain.name</a>
is not defined in <a href="http://myCert.pem" target="_blank">myCert.pem</a></div>
<div>I know it is - it is in a SAN
within the certificate.</div>
<div><br>
</div>
<div>Any suggestions?</div>
<div>Many thanks</div>
<div>Mark.</div>
<div><br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Fri, 13 Nov 2020 at
15:12, Kevin Vines <<a href="mailto:kevin.vines@gmail.com" target="_blank">kevin.vines@gmail.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">
<div style="background-color:rgb(255,255,255)">
<div id="gmail-m_-5933645792815903685gmail-m_8643232066864092418gmail-m_9038209434663990990response_container_BBPPID" style="outline:none" dir="auto">
<div id="gmail-m_-5933645792815903685gmail-m_8643232066864092418gmail-m_9038209434663990990BB10_response_div_BBPPID" dir="auto" style="width:100%"> Hi Mark,</div>
<div id="gmail-m_-5933645792815903685gmail-m_8643232066864092418gmail-m_9038209434663990990BB10_response_div_BBPPID" dir="auto" style="width:100%"><br>
</div>
<div id="gmail-m_-5933645792815903685gmail-m_8643232066864092418gmail-m_9038209434663990990BB10_response_div_BBPPID" dir="auto" style="width:100%">Based on some
googling it looks like you need to specify the
domain eg:</div>
<div id="gmail-m_-5933645792815903685gmail-m_8643232066864092418gmail-m_9038209434663990990BB10_response_div_BBPPID" dir="auto" style="width:100%"><br>
</div>
<div id="gmail-m_-5933645792815903685gmail-m_8643232066864092418gmail-m_9038209434663990990BB10_response_div_BBPPID" dir="auto" style="width:100%">modparam("tls_mgm","verify_cert",
"[<a href="http://domain.com" target="_blank">domain.com</a>]1")</div>
<div id="gmail-m_-5933645792815903685gmail-m_8643232066864092418gmail-m_9038209434663990990response_div_spacer_BBPPID" dir="auto" style="width:100%"> <br>
</div>
<div id="gmail-m_-5933645792815903685gmail-m_8643232066864092418gmail-m_9038209434663990990response_div_spacer_BBPPID" dir="auto" style="width:100%"><a href="https://fossies.org/linux/opensips/modules/tls_mgm/README" target="_blank">https://fossies.org/linux/opensips/modules/tls_mgm/README</a></div>
<div id="gmail-m_-5933645792815903685gmail-m_8643232066864092418gmail-m_9038209434663990990blackberry_signature_BBPPID" dir="auto">
<div id="gmail-m_-5933645792815903685gmail-m_8643232066864092418gmail-m_9038209434663990990_signaturePlaceholder_BBPPID" dir="auto">
<p dir="ltr">Kevin <br>
</p>
</div>
</div>
</div>
<div id="gmail-m_-5933645792815903685gmail-m_8643232066864092418gmail-m_9038209434663990990_original_msg_header_BBPPID" dir="auto">
<table id="gmail-m_-5933645792815903685gmail-m_8643232066864092418gmail-m_9038209434663990990_pHCWrapper_BBPPID" style="border-spacing:0px;display:table;outline:none" width="100%">
<tbody>
<tr>
<td colspan="2">
<div>
<div id="gmail-m_-5933645792815903685gmail-m_8643232066864092418gmail-m_9038209434663990990from"><b>From:</b>
<a href="mailto:farmorg@gmail.com" target="_blank">farmorg@gmail.com</a></div>
<div id="gmail-m_-5933645792815903685gmail-m_8643232066864092418gmail-m_9038209434663990990sent"><b>Sent:</b>
November 13, 2020 9:49 a.m.</div>
<div id="gmail-m_-5933645792815903685gmail-m_8643232066864092418gmail-m_9038209434663990990to"><b>To:</b>
<a href="mailto:users@lists.opensips.org" target="_blank">users@lists.opensips.org</a></div>
<div id="gmail-m_-5933645792815903685gmail-m_8643232066864092418gmail-m_9038209434663990990reply_to"><b>Reply
to:</b> <a href="mailto:users@lists.opensips.org" target="_blank">users@lists.opensips.org</a></div>
<div id="gmail-m_-5933645792815903685gmail-m_8643232066864092418gmail-m_9038209434663990990subject"><b>Subject:</b>
[OpenSIPS-Users] Teams TLS Error</div>
</div>
</td>
</tr>
</tbody>
</table>
<br>
</div>
<div dir="auto" style="outline:none">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">Hi everyone<br>
<div><br>
</div>
<div>OpenSIPS 3.1.0</div>
<div><br>
</div>
<div>I am following the OpenSIPS as Teams
SBC guide and have added the TLS config:</div>
<div><br>
</div>
<div>
<div>modparam("tls_mgm","verify_cert",
"1")</div>
<div>modparam("tls_mgm","require_cert",
"1")</div>
<div>modparam("tls_mgm","tls_method",
"TLSv1_2")</div>
<div>modparam("tls_mgm","certificate",
"/usr/local/etc/opensips/tls/<a href="http://myCert.pem" target="_blank">myCert.pem</a>")</div>
<div>modparam("tls_mgm","private_key",
"/usr/local/etc/opensips/tls/<a href="http://myKey.key" target="_blank">myKey.key</a>")</div>
<div>modparam("tls_mgm", "ca_dir",
"/etc/ssl/certs")</div>
</div>
<div><br>
</div>
<div>But I am seeing a TLS domain error:</div>
<div><br>
</div>
<div>
<div>Nov 13 14:36:50 [175314]
ERROR:tls_mgm:split_param_val: No TLS
domain name</div>
<div>Nov 13 14:36:50 [175314] Traceback
(last included file at the bottom):</div>
<div>Nov 13 14:36:50 [175314] 0.
/usr/local//etc/opensips/<a href="http://opensips.cfg" target="_blank">opensips.cfg</a></div>
<div>Nov 13 14:36:50 [175314]
CRITICAL:core:yyerror: parse error in
/usr/local//etc/opensips/<a href="http://opensips.cfg:191" target="_blank">opensips.cfg:191</a>:19-20:
Parameter <verify_cert> not found
in module <tls_mgm> - can't set</div>
<div>Nov 13 14:36:50 [175314]
#modparam("tls_mgm", "require_cert",
"[dom4]1")</div>
<div>Nov 13 14:36:50 [175314]</div>
<div>Nov 13 14:36:50 [175314]
modparam("tls_mgm","verify_cert", "1")</div>
<div>Nov 13 14:36:50 [175314] ^~</div>
<div>Nov 13 14:36:50 [175314]
modparam("tls_mgm","require_cert", "1")</div>
<div>Nov 13 14:36:50 [175314]
modparam("tls_mgm","tls_method",
"TLSv1_2")</div>
<div>Nov 13 14:36:50 [175314]
DBG:core:set_mod_param_regex: tls_mgm
matches module tls_mgm</div>
<div>Nov 13 14:36:50 [175314]
DBG:core:set_mod_param_regex: found
<require_cert> in module tls_mgm
[/usr/local/lib64/opensips/modules/]</div>
<div>Nov 13 14:36:50 [175314]
ERROR:tls_mgm:split_param_val: No TLS
domain name</div>
</div>
<div><br>
</div>
<div>Can anyone tell me what I might be
missing please?</div>
<div><br>
</div>
<div>Many thanks</div>
<div>Mark.</div>
<div><br>
</div>
</div>
</div>
</div>
</div>
</div>
_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a><br>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>
</blockquote>
</div>
<br clear="all">
<div><br>
</div>
-- <br>
<div dir="ltr">Mark Farmer<br>
<a href="mailto:farmorg@gmail.com" target="_blank">farmorg@gmail.com</a></div>
</div>
</div>
_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a><br>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>
</blockquote>
</div>
<br clear="all">
<div><br>
</div>
-- <br>
<div dir="ltr">Mark Farmer<br>
<a href="mailto:farmorg@gmail.com" target="_blank">farmorg@gmail.com</a></div>
<br>
<fieldset></fieldset>
<pre>_______________________________________________
Users mailing list
<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>
</pre>
</blockquote>
</div>
_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a><br>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature">Mark Farmer<br><a href="mailto:farmorg@gmail.com" target="_blank">farmorg@gmail.com</a></div>