Kamailio, TLS, and LetsEncrypt

If you don’t know me… my name is Fred, and I’m a Kamailian. Kamailians are users of Kamailio— an open source SIP server capable of building large scale Voice platforms.

It’s a great product, and in a different post I discuss why I love Kamailio. Today, I want to talk about TLS, Kamailio, and Lets Encrypt.

TLS stands for Transport Layer Security, the successor of SSL (aka what you consider safe web browsing). The primary goal of TLS is privacy. And that’s what we’re going after here… increasing the privacy of your communication.

Kamailio supports TLS, but in the past, people have found it difficult to deploy and there were two main options:

  1. Use a purchased certificate
    • Pro: easy to deploy on client side
    • Cons: expensive, painful acquisition model
  2. Use a self-signed certificate
    • Pro: free
    • Cons: difficult to deploy on client side

With a self-signed certificate, clients (end users) would generally receive a message indicating that the TLS connection was not trusted; making them question the security and just basically causing unneeded drama.

Let’s Encrypt Makes it Better

Now, with Let’s Encrypt, we have a very quick, easy way to add TLS to your communications. Let’s Encrypt is a new certificate authority that provides free certificates very quickly. Since the certificates are recognized/trusted by your end users, the solution because free, fast, and easy to deploy.

Thanks to the default Kamailio config file, you can add TLS in less than 5 minutes.

First, install Let’s Encrypt and create a certificate.

cd /usr/local/src
git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
./letsencrypt-auto --help

./letsencrypt-auto certonly --standalone -d MYDOMAIN

Simple, right? At the end of this, you’re going to have a certificate recognized by your clients.

Next, let’s add TLS to our kamailio.cfg.

If you haven’t built the TLS module, make and install it.

If you’re working from the default kamailio.cfg file, uncomment the TLS section as follows:

# *** To enable TLS support execute:
# - adjust CFGDIR/tls.cfg as needed

#!define WITH_TLS

Next, create a file called tls.cfg as follows:

[server:default]
method = TLSv1
verify_certificate = no
require_certificate = no
private_key = /etc/letsencrypt/live/MYDOMAIN/privkey.pem
certificate = /etc/letsencrypt/live/MYDOMAIN/fullchain.pem

(Of course replace MYDOMAIN with your domain name and make sure the location matches where your certificates were stored)

Save your tls.cfg file in the same location as your kamailio.cfg file.

Now, let’s make one last change in the kamailio.cfg file. Where your listen= command is located, add the following:

listen=tls:IPADDRESS:5061

Bonus… behind NAT with a static public IP?

listen=tls:PRIVATEIP:5061 advertise PUBLICIP:5061

Test your kamailio file for typos or major errors with kamailio -c and then restart Kamailio.

It’s that simple.

Additional Reading:

4 Comments

Tomi Hakkarainen 2018-01-10 Reply

Hi,
I noticed that by default Kamailio has problems to use fullchain.pem on that directory when used certbot.

Jan 09 22:42:53 kamailio[12469]: 0(12469) ERROR: tls [tls_domain.c:529]: load_cert(): TLSs: Unable to load certificate file ‘/etc/letsencrypt/live//fullchain.pem’
Jan 09 22:42:53 kamailio[12469]: 0(12469) ERROR: tls [tls_util.h:42]: tls_err_ret(): load_cert:error:0200100D:system library:fopen:Permission denied

If you have this same check directory rights with :
name -l /etc/letsencrypt/live//fullchain.pem
f: /etc/letsencrypt/live//fullchain.pem
drwxr-xr-x root root /
drwxr-xr-x root root etc
drwxr-xr-x root root letsencrypt
drwx—— root root live
– No such file or directory
-> to fix this I used
sudo chmod go+x /etc/letsencrypt/archive
sudo chmod go+x /etc/letsencrypt/live
-> after this
namei -l /etc/letsencrypt/live//fullchain.pem
f: /etc/letsencrypt/live//fullchain.pem
drwxr-xr-x root root /
drwxr-xr-x root root etc
drwxr-xr-x root root letsencrypt
drwx–x–x root root live
drwxr-xr-x kamailio daemon
lrwxrwxrwx kamailio daemon fullchain.pem -> ../../archive//fullchain1.pem
drwx–x–x root root ..
drwxr-xr-x root root ..
drwx–x–x root root archive
drwxr-xr-x kamailio daemon
-rw-r–r– kamailio daemon fullchain1.pem

point here is the execute (x) on all folders on the dir to the cert file fullchain1.pem for Kamailio to use the certificate as we are not running Kamailio as root.

Niek 2018-04-05 Reply

Thank you Tomi, I was having the same problem getting Kamailio to be able to use the certs – chmod go+x did the trick.

Tomi 2018-10-16 Reply

When the automatic renewal runs it changes the file to which its pointing from live folder to archive files folder.

run these on post-hook to get proper rights assigned to new files after certbot renew

chgrp -R daemon /etc/letsencrypt && chmod -R g=rX /etc/letsencrypt

Matt S. 2020-06-15 Reply

Thanks for the write up. Unfortunately it isn’t working for me. I have used Letsencrypt many times to secure Apache installation without issue though. The problem is the process is failing trying to validate web server on port 80 and I am not running a web server on this Kamailio installation.
#####Output From Command####
letsencrypt]# ./letsencrypt-auto certonly –standalone -d server.mydomain.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for server.mydomain.com
Waiting for verification…
Challenge failed for domain server.mydomain.com
http-01 challenge for server.mydomain.com
Cleaning up challenges
Some challenges have failed.
#######

After this there are no keys, nothing was generated.

Must there be a web server running, even though the keys will not be utilized for that purpose? I’m guessing that is a question for Letsencrypt.

Anyways thanks again for the write up, I will try a different avenue for the certificate.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.