[OpenSIPS-Users] Problems reloading TLS certs.

Ryan Bullock rrb3942 at gmail.com
Thu Nov 20 19:36:03 UTC 2025 

Hey Bogdan-Andrei,

Yeah, we have that patchset running on our 3.6 builds and it looks good.
Tested concurrent reloads against concurrent inbound connections without
issue.

Like I mentioned in the pull request, I don't have database provisioned tls
domains to double check for regressions in that scenario. If someone using
database base provisioning could try it out it would be great. Happy to fix
any issues reported.

On Thu, Nov 20, 2025 at 2:29 AM Bogdan-Andrei Iancu <bogdan at opensips.org>
wrote:

> Hi Ryan,
>
> Should I understand the version here
> https://github.com/OpenSIPS/opensips/pull/3760 is quite some final,
> working one ?
>
> Regards,
>
> Bogdan-Andrei Iancu
>
> OpenSIPS Founder and Developer
>   https://www.opensips-solutions.com
>   https://www.siphub.com
>
> On 15.11.2025 01:07, Ryan Bullock wrote:
>
> Initial testing looks ok. You can see the patchset here
> https://github.com/rrb3942/opensips/tree/tls_mgm_reload
>
>
> On Thu, Nov 13, 2025 at 3:56 PM Matthew Schumacher <schu at schu.net> wrote:
>
>> That’s helpful.  If you message me the patch when you have it, I can help
>> test.
>>
>> On Nov 13, 2025, at 9:39 AM, Ryan Bullock <rrb3942 at gmail.com> wrote:
>>
>> 
>> Hey Matt,
>>
>> OpenSIPs currently only supports tls_reload for domains managed in a
>> database. Coincidentally I started a patch set earlier this week to allow
>> reloading the keys, certificates, etc for domains defined in the config
>> script. No ETA on a pull request yet, it is still in testing mode.
>>
>> On Wed, Nov 12, 2025 at 10:00 PM Matthew Schumacher <schu at schu.net>
>> wrote:
>>
>>> Hello All,
>>>
>>> I have a 3.2 server where I can't reload certs.  Is this because I'm not
>>> storing the certs in a database?  How can I work around this? The server
>>> is never idle enough for me to restart and my cert expires in a few
>>> days.  Am I forced to kick people off to restart? Also, is there a way
>>> to tell opensips to not accept any new calls? I'm not sure how much that
>>> will help, but it would be good to know.
>>>
>>> Thanks!
>>>
>>>
>>> root at sbc:/etc/opensips# opensips-cli -f /etc/opensips/opensips-cli.cfg
>>> -x mi tls_reload
>>> ERROR: command 'tls_reload' returned: 500: DB url not set
>>>
>>> root at sbc:/etc/opensips# opensips-cli -f /etc/opensips/opensips-cli.cfg
>>> -x mi tls_list
>>> {
>>>      "Domains": [
>>>          {
>>>              "name": "client",
>>>              "type": "TLS_DOMAIN_CLI",
>>>              "IP ADDRESS FILTERS": [
>>>                  "*"
>>>              ],
>>>              "SIP DOMAIN FILTERS": [
>>>                  "*"
>>>              ],
>>>              "METHOD": "TLSv1_2",
>>>              "VERIFY_CERT": true,
>>>              "REQ_CLI_CERT": false,
>>>              "CRL_CHECKALL": false,
>>>              "CERT_FILE": "/etc/ssl/certs/siptrunk_domain_net.crt",
>>>              "CRL_DIR": "",
>>>              "CA_FILE": "/etc/ssl/certs/ca-certificates.crt",
>>>              "CA_DIR": "/etc/pki/CA/",
>>>              "PKEY_FILE": "/etc/ssl/certs/siptrunk_domain_net.key",
>>>              "CIPHER_LIST": "",
>>>              "DH_PARAMS_FILE": "",
>>>              "EC_CURVE": ""
>>>          },
>>>          {
>>>              "name": "server",
>>>              "type": "TLS_DOMAIN_SRV",
>>>              "IP ADDRESS FILTERS": [
>>>                  "x.x.x.x:5061",
>>>                  "y.y.y.y:5061"
>>>              ],
>>>              "SIP DOMAIN FILTERS": [
>>>                  "*"
>>>              ],
>>>              "METHOD": "TLSv1_2",
>>>              "VERIFY_CERT": false,
>>>              "REQ_CLI_CERT": true,
>>>              "CRL_CHECKALL": false,
>>>              "CERT_FILE": "/etc/ssl/certs/siptrunk_domain_net.crt",
>>>              "CRL_DIR": "",
>>>              "CA_FILE": "/etc/ssl/certs/ca-certificates.crt",
>>>              "CA_DIR": "/etc/pki/CA/",
>>>              "PKEY_FILE": "/etc/ssl/certs/siptrunk_domain_net.key",
>>>              "CIPHER_LIST": "ALL:!aNULL:!eNULL:!MD5:!RC4",
>>>              "DH_PARAMS_FILE": "",
>>>              "EC_CURVE": ""
>>>          }
>>>      ]
>>> }
>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.opensips.org
>>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.opensips.org
>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.opensips.org
>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>
>
> _______________________________________________
> Users mailing listUsers at lists.opensips.orghttp://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20251120/e39c2c5d/attachment.html>

More information about the Users mailing list