Kamailio, TLS, and LetsEncrypt

If you don’t know me… my name is Fred, and I’m a Kamailian. Kamailians are users of Kamailio— an open source SIP server capable of building large scale Voice platforms.

It’s a great product, and in a different post I discuss why I love Kamailio. Today, I want to talk about TLS, Kamailio, and Lets Encrypt.

TLS stands for Transport Layer Security, the successor of SSL (aka what you consider safe web browsing). The primary goal of TLS is privacy. And that’s what we’re going after here… increasing the privacy of your communication.

Kamailio supports TLS, but in the past, people have found it difficult to deploy and there were two main options:

  1. Use a purchased certificate
    • Pro: easy to deploy on client side
    • Cons: expensive, painful acquisition model
  2. Use a self-signed certificate
    • Pro: free
    • Cons: difficult to deploy on client side

With a self-signed certificate, clients (end users) would generally receive a message indicating that the TLS connection was not trusted; making them question the security and just basically causing unneeded drama.

Let’s Encrypt Makes it Better

Now, with Let’s Encrypt, we have a very quick, easy way to add TLS to your communications. Let’s Encrypt is a new certificate authority that provides free certificates very quickly. Since the certificates are recognized/trusted by your end users, the solution because free, fast, and easy to deploy.

Thanks to the default Kamailio config file, you can add TLS in less than 5 minutes.

First, install Let’s Encrypt and create a certificate.

cd /usr/local/src
git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
./letsencrypt-auto --help

./letsencrypt-auto certonly --standalone -d MYDOMAIN

Simple, right? At the end of this, you’re going to have a certificate recognized by your clients.

Next, let’s add TLS to our kamailio.cfg.

If you haven’t built the TLS module, make and install it.

If you’re working from the default kamailio.cfg file, uncomment the TLS section as follows:

# *** To enable TLS support execute:
# - adjust CFGDIR/tls.cfg as needed

#!define WITH_TLS

Next, create a file called tls.cfg as follows:

[server:default]
method = TLSv1
verify_certificate = no
require_certificate = no
private_key = /etc/letsencrypt/live/MYDOMAIN/privkey.pem
certificate = /etc/letsencrypt/live/MYDOMAIN/fullchain.pem

(Of course replace MYDOMAIN with your domain name and make sure the location matches where your certificates were stored)

Save your tls.cfg file in the same location as your kamailio.cfg file.

Now, let’s make one last change in the kamailio.cfg file. Where your listen= command is located, add the following:

listen=tls:IPADDRESS:5061

Bonus… behind NAT with a static public IP?

listen=tls:PRIVATEIP:5061 advertise PUBLICIP:5061

Test your kamailio file for typos or major errors with kamailio -c and then restart Kamailio.

It’s that simple.

Additional Reading:

Fred Posner provides VoIP consulting services through The Palner Group and LOD.com. In 2010, Fred and his wife, Yeni Monroy, opened Bearkery, in Gainesville, Florida. Contact Fred at qxork.com. Even better, make Yeni happy and buy a cookie!

2 Replies to “Kamailio, TLS, and LetsEncrypt”

  1. Hi,
    I noticed that by default Kamailio has problems to use fullchain.pem on that directory when used certbot.

    Jan 09 22:42:53 kamailio[12469]: 0(12469) ERROR: tls [tls_domain.c:529]: load_cert(): TLSs: Unable to load certificate file ‘/etc/letsencrypt/live//fullchain.pem’
    Jan 09 22:42:53 kamailio[12469]: 0(12469) ERROR: tls [tls_util.h:42]: tls_err_ret(): load_cert:error:0200100D:system library:fopen:Permission denied

    If you have this same check directory rights with :
    name -l /etc/letsencrypt/live//fullchain.pem
    f: /etc/letsencrypt/live//fullchain.pem
    drwxr-xr-x root root /
    drwxr-xr-x root root etc
    drwxr-xr-x root root letsencrypt
    drwx—— root root live
    – No such file or directory
    -> to fix this I used
    sudo chmod go+x /etc/letsencrypt/archive
    sudo chmod go+x /etc/letsencrypt/live
    -> after this
    namei -l /etc/letsencrypt/live//fullchain.pem
    f: /etc/letsencrypt/live//fullchain.pem
    drwxr-xr-x root root /
    drwxr-xr-x root root etc
    drwxr-xr-x root root letsencrypt
    drwx–x–x root root live
    drwxr-xr-x kamailio daemon
    lrwxrwxrwx kamailio daemon fullchain.pem -> ../../archive//fullchain1.pem
    drwx–x–x root root ..
    drwxr-xr-x root root ..
    drwx–x–x root root archive
    drwxr-xr-x kamailio daemon
    -rw-r–r– kamailio daemon fullchain1.pem

    point here is the execute (x) on all folders on the dir to the cert file fullchain1.pem for Kamailio to use the certificate as we are not running Kamailio as root.

    1. Thank you Tomi, I was having the same problem getting Kamailio to be able to use the certs – chmod go+x did the trick.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.