Using LetsEncrypt certs with v2.4

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Using LetsEncrypt certs with v2.4

John Quick
Does anyone have experience using LetsEncrypt certificates for tls or wss in
OpenSIPS v2.4.x over a long enough period of time for the certificate to be
renewed?

Does the OpenSIPS service need to be restarted after each certbot renewal?
This happens about every 2 months.
I have configured opensips so the path in modparam("tls_mgm", "certificate"
is "/etc/letsencrypt/live/<domain-name>/cert.pem"
This is actually a sym-link to the actual cert. It seems to work okay, but
I'm wondering what will happen in two months' time when the cert is renewed.

Thanks.

John Quick
Smartvox Limited
Web: www.smartvox.co.uk



_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Using LetsEncrypt certs with v2.4

Bogdan-Andrei Iancu-2
Hi John,

When the cert is configured via modparam, the cert is loaded on startup
by OpenSIPS, so any renewal of the cert will have 0 impact on OpenSIPS -
so you will have to restart after each renewal.

I suggest you to provision the certs via DB (and not script), so you can
do a reload after renewal, with any need to restart opensips.

Regards,

Bogdan-Andrei Iancu

OpenSIPS Founder and Developer
   http://www.opensips-solutions.com
OpenSIPS Bootcamp 2018
   http://opensips.org/training/OpenSIPS_Bootcamp_2018/

On 07/25/2018 06:09 PM, John Quick wrote:

> Does anyone have experience using LetsEncrypt certificates for tls or wss in
> OpenSIPS v2.4.x over a long enough period of time for the certificate to be
> renewed?
>
> Does the OpenSIPS service need to be restarted after each certbot renewal?
> This happens about every 2 months.
> I have configured opensips so the path in modparam("tls_mgm", "certificate"
> is "/etc/letsencrypt/live/<domain-name>/cert.pem"
> This is actually a sym-link to the actual cert. It seems to work okay, but
> I'm wondering what will happen in two months' time when the cert is renewed.
>
> Thanks.
>
> John Quick
> Smartvox Limited
> Web: www.smartvox.co.uk
>
>
>
> _______________________________________________
> Users mailing list
> [hidden email]
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Using LetsEncrypt certs with v2.4

Ryan Delgrosso
Hi Bogdan,

Can you point me at a link to how to provision a cert via db?

What happens to active TLS sessions if the cert is changed?

Thanks

-Ryan


On 7/26/2018 4:56 AM, Bogdan-Andrei Iancu wrote:

> Hi John,
>
> When the cert is configured via modparam, the cert is loaded on
> startup by OpenSIPS, so any renewal of the cert will have 0 impact on
> OpenSIPS - so you will have to restart after each renewal.
>
> I suggest you to provision the certs via DB (and not script), so you
> can do a reload after renewal, with any need to restart opensips.
>
> Regards,
>
> Bogdan-Andrei Iancu
>
> OpenSIPS Founder and Developer
>   http://www.opensips-solutions.com
> OpenSIPS Bootcamp 2018
>   http://opensips.org/training/OpenSIPS_Bootcamp_2018/
>
> On 07/25/2018 06:09 PM, John Quick wrote:
>> Does anyone have experience using LetsEncrypt certificates for tls or
>> wss in
>> OpenSIPS v2.4.x over a long enough period of time for the certificate
>> to be
>> renewed?
>>
>> Does the OpenSIPS service need to be restarted after each certbot
>> renewal?
>> This happens about every 2 months.
>> I have configured opensips so the path in modparam("tls_mgm",
>> "certificate"
>> is "/etc/letsencrypt/live/<domain-name>/cert.pem"
>> This is actually a sym-link to the actual cert. It seems to work
>> okay, but
>> I'm wondering what will happen in two months' time when the cert is
>> renewed.
>>
>> Thanks.
>>
>> John Quick
>> Smartvox Limited
>> Web: www.smartvox.co.uk
>>
>>
>>
>> _______________________________________________
>> Users mailing list
>> [hidden email]
>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>
> _______________________________________________
> Users mailing list
> [hidden email]
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Using LetsEncrypt certs with v2.4

Bogdan-Andrei Iancu-2
Hi Ryan,

The tls certificates are provisioned in OpenSIPs via the tls_mgm module:
     http://www.opensips.org/html/docs/modules/2.4.x/tls_mgm.html

The certs can be defined inline in cfg or via DB - see
http://www.opensips.org/html/docs/modules/2.4.x/tls_mgm.html#idp2796016

And this is the DB schema :
http://www.opensips.org/Documentation/Install-DBSchema-2-4#AEN9619

Best regards,

Bogdan-Andrei Iancu

OpenSIPS Founder and Developer
   http://www.opensips-solutions.com
OpenSIPS Bootcamp 2018
   http://opensips.org/training/OpenSIPS_Bootcamp_2018/

On 08/01/2018 09:35 AM, Ryan Delgrosso wrote:

> Hi Bogdan,
>
> Can you point me at a link to how to provision a cert via db?
>
> What happens to active TLS sessions if the cert is changed?
>
> Thanks
>
> -Ryan
>
>
> On 7/26/2018 4:56 AM, Bogdan-Andrei Iancu wrote:
>> Hi John,
>>
>> When the cert is configured via modparam, the cert is loaded on
>> startup by OpenSIPS, so any renewal of the cert will have 0 impact on
>> OpenSIPS - so you will have to restart after each renewal.
>>
>> I suggest you to provision the certs via DB (and not script), so you
>> can do a reload after renewal, with any need to restart opensips.
>>
>> Regards,
>>
>> Bogdan-Andrei Iancu
>>
>> OpenSIPS Founder and Developer
>>   http://www.opensips-solutions.com
>> OpenSIPS Bootcamp 2018
>>   http://opensips.org/training/OpenSIPS_Bootcamp_2018/
>>
>> On 07/25/2018 06:09 PM, John Quick wrote:
>>> Does anyone have experience using LetsEncrypt certificates for tls
>>> or wss in
>>> OpenSIPS v2.4.x over a long enough period of time for the
>>> certificate to be
>>> renewed?
>>>
>>> Does the OpenSIPS service need to be restarted after each certbot
>>> renewal?
>>> This happens about every 2 months.
>>> I have configured opensips so the path in modparam("tls_mgm",
>>> "certificate"
>>> is "/etc/letsencrypt/live/<domain-name>/cert.pem"
>>> This is actually a sym-link to the actual cert. It seems to work
>>> okay, but
>>> I'm wondering what will happen in two months' time when the cert is
>>> renewed.
>>>
>>> Thanks.
>>>
>>> John Quick
>>> Smartvox Limited
>>> Web: www.smartvox.co.uk
>>>
>>>
>>>
>>> _______________________________________________
>>> Users mailing list
>>> [hidden email]
>>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>
>>
>> _______________________________________________
>> Users mailing list
>> [hidden email]
>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>
> _______________________________________________
> Users mailing list
> [hidden email]
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Using LetsEncrypt certs with v2.4

John Quick
In reply to this post by John Quick
Hi Bogdan,

Thanks for your response to my earlier query.
I’m now trying to convert from modparam based definitions to provisioning
certs from the DB.
I cannot find a published example of a populated DB record in the tls_mgm
table.
Furthermore, the online documentation has gaps regarding DB Provisioning and
it also contains this error:
Section 1.7.14 describes a parameter db_mode, but if you try adding this it
generates an error "parameter <db_mode> not found in module"

Can you please help with an example record or at least answer these
questions:
a) What to put in the 'domain' field if I only want to set up one default
domain. Should it be "default"?
b) What are the following fields. I am not sure what they should contain:
'address', 'type', 'crl_check_all', 'crl_dir'
c) How does provisioning from DB interact with provisioning from static
modparam values?
I got errors when I commented out modparam statements for "certificate" and
"private_key" because the module was still looking for the "default" files,
even though I am now provisioning from the DB. This means there is now
ambiguity - certificates are defined both in files in modparam and also in
blob fields in the DB.

I assume the blob fields 'certificate', 'private_key' and 'ca_list' must
contain the contents of the certificate, not the path to the file.
This means I'll need to write a script to copy these data from the renewed
LetsEncrypt certificates before issuing the MI reload command.

By the way, the online module documentation for tls_mgm has a duplicate
section - 1.7.18 is same as 1.7.19

John Quick
Smartvox Limited
      

> Bogdan-Andrei Iancu bogdan at opensips.org
> Thu Jul 26 07:56:18 EDT 2018
> Hi John, When the cert is configured via modparam, the cert is loaded on
startup by OpenSIPS, so any renewal of the cert will have 0 impact on
OpenSIPS - so you will have to restart after each renewal.
> I suggest you to provision the certs via DB (and not script), so you can
do a reload after renewal, with any need to restart opensips.
> Regards, Bogdan-Andrei Iancu


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Using LetsEncrypt certs with v2.4

Vlad Patrascu

Hi John,

You are probably looking over the documentation for the wrong OpenSIPS version. The issues that you've mentioned appear in the 2.2 docs.

The 2.4 docs should mostly cover your questions, but nevertheless:

a) The domain field is only an identifier for the virtual TLS domain, but for default domains, indeed there is a special value, 'default'.

b) * address - same meaning as the IP:port part of the 'server_domain' parameter

    * type - TLS client(1) or server(2) domain and 0 for defining both a client and server default domain with the same attributes

    * crl_check_all - check all files in the 'crl_dir'

    * crl_dir - path to directory containing Certificate Revocation Lists

c) Both DB and script domains can be defined at the same time, but they should be seen as different sets of domains, so you should set a modparam only for a script defined domain.

The blob database fields indeed should contain the contents of the certificates.

Regards,

Vlad Patrascu
OpenSIPS Developer
http://www.opensips-solutions.com
On 08/01/2018 06:55 PM, John Quick wrote:
Hi Bogdan,

Thanks for your response to my earlier query.
I’m now trying to convert from modparam based definitions to provisioning
certs from the DB.
I cannot find a published example of a populated DB record in the tls_mgm
table.
Furthermore, the online documentation has gaps regarding DB Provisioning and
it also contains this error:
Section 1.7.14 describes a parameter db_mode, but if you try adding this it
generates an error "parameter <db_mode> not found in module"

Can you please help with an example record or at least answer these
questions:
a) What to put in the 'domain' field if I only want to set up one default
domain. Should it be "default"?
b) What are the following fields. I am not sure what they should contain:
'address', 'type', 'crl_check_all', 'crl_dir'
c) How does provisioning from DB interact with provisioning from static
modparam values?
I got errors when I commented out modparam statements for "certificate" and
"private_key" because the module was still looking for the "default" files,
even though I am now provisioning from the DB. This means there is now
ambiguity - certificates are defined both in files in modparam and also in
blob fields in the DB.

I assume the blob fields 'certificate', 'private_key' and 'ca_list' must
contain the contents of the certificate, not the path to the file.
This means I'll need to write a script to copy these data from the renewed
LetsEncrypt certificates before issuing the MI reload command.

By the way, the online module documentation for tls_mgm has a duplicate
section - 1.7.18 is same as 1.7.19

John Quick
Smartvox Limited
      

Bogdan-Andrei Iancu bogdan at opensips.org 
Thu Jul 26 07:56:18 EDT 2018
Hi John, When the cert is configured via modparam, the cert is loaded on
startup by OpenSIPS, so any renewal of the cert will have 0 impact on
OpenSIPS - so you will have to restart after each renewal.
I suggest you to provision the certs via DB (and not script), so you can
do a reload after renewal, with any need to restart opensips.
Regards, Bogdan-Andrei Iancu
_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Using LetsEncrypt certs with v2.4

John Quick
In reply to this post by John Quick
Hi Vlad,

Thanks for replying.
Yes, I must have been looking at the wrong version in the documentation -
the old version was stored in my browser history and I failed to notice.

Even in the correct v2.4, the documentation for DB provisioning is more
complete when read alongside the extra information in your reply.

It is a pity that there is no way to completely disable provisioning from
modparam parameters when you want only to use the DB. Removing the modparam
statements does not disable them, but merely makes them use default preset
values.

John Quick
Smartvox Limited
Web: www.smartvox.co.uk



_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Using LetsEncrypt certs with v2.4

Vlad Patrascu
Hi John,

You conclusion about the modparam provisioning is not completely
accurate. If you don't have any modparam statements in your script, the
default preset values are only used as a backup for the default domains.
And this is necessary in case you don't define the default domains in
the database. So in this case, in order to always have some settings for
the default domains, we do a fallback to the preset values.

As such, if you do have a default client and server domain defined in
the DB and no modparam statements, no script provisioning should be
taken into account.

Regards,

Vlad Patrascu
OpenSIPS Developer
http://www.opensips-solutions.com

On 08/08/2018 05:36 PM, John Quick wrote:

> Hi Vlad,
>
> Thanks for replying.
> Yes, I must have been looking at the wrong version in the documentation -
> the old version was stored in my browser history and I failed to notice.
>
> Even in the correct v2.4, the documentation for DB provisioning is more
> complete when read alongside the extra information in your reply.
>
> It is a pity that there is no way to completely disable provisioning from
> modparam parameters when you want only to use the DB. Removing the modparam
> statements does not disable them, but merely makes them use default preset
> values.
>
> John Quick
> Smartvox Limited
> Web: www.smartvox.co.uk
>
>


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Using LetsEncrypt certs with v2.4

John Quick
In reply to this post by John Quick
Hi Vlad,

I now realise that the problem I'm having is that "default" is a reserved word in MySQL.
When I tried to set the 'domain' field to the text "default", it actually sets it to blank because that is the default value for this column.
😊

John Quick
Smartvox Limited
Web: www.smartvox.co.uk



_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users