{"id":688,"date":"2018-07-22T14:55:25","date_gmt":"2018-07-22T07:55:25","guid":{"rendered":"http:\/\/www.otakudang.org\/?p=688"},"modified":"2021-01-04T23:58:11","modified_gmt":"2021-01-04T16:58:11","slug":"tips-problem-mengaktifkan-kamailio-tls-dengan-letsencrypt","status":"publish","type":"post","link":"https:\/\/www.otakudang.org\/?p=688","title":{"rendered":"[Tips] Problem Mengaktifkan Kamailio TLS Dengan LetsEncrypt"},"content":{"rendered":"<p>Jadi barusan nyoba mengaktifkan TLS di SIP server Kamailio saya dengan <a href=\"https:\/\/letsencrypt.org\/\">LetsEncrypt<\/a>. Pada intinya instalasi sertifikat dengan\u00a0<em>certbot-auto\u00a0<\/em>cukup mudah. Kali ini tinggal menambahkan konfigurasi di\u00a0<strong><em>tls.cfg<\/em><\/strong> di dalam direktori konfigurasi Kamailio:<\/p>\n<pre>[server:default]\nmethod = TLSv1\nverify_certificate = no\nrequire_certificate = no\ncertificate = \/etc\/letsencrypt\/live\/domain.tld\/fullchain.pem\nprivate_key = \/etc\/letsencrypt\/live\/domain.tld\/privkey.pem\n<\/pre>\n<p>Lalu di file\u00a0<strong><em>kamailio.cfg<\/em><\/strong> SIP server (ip address <strong>192.168.0.123<\/strong>) edit\/tambahkan baris berikut:<\/p>\n<pre>enable_tls = yes\nlisten=192.168.0.123:5061\n\n####### TLS Parameters #########\nloadmodule \"tls.so\"\nmodparam(\"tls\", \"config\", \"\/etc\/kamailio\/tls.cfg\")\nmodparam(\"tls\", \"low_mem_threshold1\", 0)\n<\/pre>\n<p>Ketika mencoba reload Kamailio, saya mendapati error seperti berikut:<\/p>\n<pre>kamailio[18322]: ERROR: tls [tls_domain.c:529]: load_cert(): TLSs: Unable to load certificate file '\/etc\/letsencrypt\/live\/domain.tld\/fullchain.pem'\nkamailio[18322]: ERROR: tls [tls_util.h:42]: tls_err_ret(): load_cert:error:0200100D:system library:fopen:Permission denied\nkamailio[18322]: ERROR: tls [tls_util.h:42]: tls_err_ret(): load_cert:error:20074002:BIO routines:FILE_CTRL:system lib\nkamailio[18322]: ERROR: tls [tls_util.h:42]: tls_err_ret(): load_cert:error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system lib\nkamailio[18322]: ERROR:  [core\/sr_module.c:923]: init_mod_child(): Error while initializing module tls (\/usr\/lib64\/kamailio\/modules\/tls.so)\n<\/pre>\n<p><br \/>Karena ada indikasi error yang disebabkan kepemilikan file cert, perlu diubah hak akses file dengan langkah berikut:<\/p>\n<pre>root# chmod go+x \/etc\/letsencrypt\/archive\nroot# chmod go+x \/etc\/letsencrypt\/live\n<\/pre>\n<p><em>catatan<\/em>: gunakan sudo juga bukan login sebagai root.<\/p>\n<p>Setelah itu dicoba kembali reload Kamailio dan masalah sudah tidak muncul lagi. Untuk check ,apakah port sudah listen ke TLS, jalankan:<\/p>\n<pre>root# ss -ln | egrep \"5061\"\n<\/pre>\n<h3>Links:<\/h3>\n<ul>\n<li><a href=\"https:\/\/www.fredposner.com\/1836\/kamailio-tls-and-letsencrypt\/\">https:\/\/www.fredposner.com\/1836\/kamailio-tls-and-letsencrypt\/<\/a><\/li>\n<\/ul>\n\n\n<p><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Tambahan: Problem Update 3 Bulanan<\/h3>\n\n\n\n<p>Letsencrypt akan slelu mengupdate setiap 3 bulan sekali. Ketika update, sertifikat yang lama akan berpindah ke directori\u00a0<em>archive\u00a0<\/em>dan sertifikat baru akan diletakkan di direktori\u00a0<em>live<\/em>. Otomatis kepemilikiannya dan perijinan filenya juga berubah. Untuk mengakali hal tersebut, tambahkan baris berikut di\u00a0<em>crontab<\/em>:\u00a0<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>30 2 * * 1 \/usr\/sbin\/certbot-auto renew >> \/var\/log\/le-renew.log chgrp -R daemon \/etc\/letsencrypt &amp;&amp; chmod -R g=rX \/etc\/letsencrypt<\/code><\/pre>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Jadi barusan nyoba mengaktifkan TLS di SIP server Kamailio saya dengan LetsEncrypt. Pada intinya instalasi sertifikat dengan\u00a0certbot-auto\u00a0cukup mudah. Kali ini tinggal menambahkan konfigurasi di\u00a0tls.cfg di dalam direktori konfigurasi Kamailio: [server:default] method = TLSv1 verify_certificate = no require_certificate = no certificate = \/etc\/letsencrypt\/live\/domain.tld\/fullchain.pem private_key = \/etc\/letsencrypt\/live\/domain.tld\/privkey.pem Lalu di file\u00a0kamailio.cfg SIP server (ip address 192.168.0.123) edit\/tambahkan baris &hellip; <\/p>\n<p class=\"link-more\"><a href=\"https:\/\/www.otakudang.org\/?p=688\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;[Tips] Problem Mengaktifkan Kamailio TLS Dengan LetsEncrypt&#8221;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[12],"tags":[],"class_list":["post-688","post","type-post","status-publish","format-standard","hentry","category-kamailio","entry"],"_links":{"self":[{"href":"https:\/\/www.otakudang.org\/index.php?rest_route=\/wp\/v2\/posts\/688","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.otakudang.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.otakudang.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.otakudang.org\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.otakudang.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=688"}],"version-history":[{"count":7,"href":"https:\/\/www.otakudang.org\/index.php?rest_route=\/wp\/v2\/posts\/688\/revisions"}],"predecessor-version":[{"id":1046,"href":"https:\/\/www.otakudang.org\/index.php?rest_route=\/wp\/v2\/posts\/688\/revisions\/1046"}],"wp:attachment":[{"href":"https:\/\/www.otakudang.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=688"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.otakudang.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=688"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.otakudang.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=688"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}