[OpenSIPS-Users] Problems reloading TLS certs.
Bogdan-Andrei Iancu
bogdan at opensips.org
Mon Nov 24 09:54:47 UTC 2025
Hi Ryan,
Thanks for the feedback here, I will take a look at the PR.
Regards,
Bogdan-Andrei Iancu
OpenSIPS Founder and Developer
https://www.opensips-solutions.com
https://www.siphub.com
On 20.11.2025 21:36, Ryan Bullock wrote:
> Hey Bogdan-Andrei,
>
> Yeah, we have that patchset running on our 3.6 builds and it looks
> good. Tested concurrent reloads against concurrent inbound connections
> without issue.
>
> Like I mentioned in the pull request, I don't have database
> provisioned tls domains to double check for regressions in that
> scenario. If someone using database base provisioning could try it out
> it would be great. Happy to fix any issues reported.
>
> On Thu, Nov 20, 2025 at 2:29 AM Bogdan-Andrei Iancu
> <bogdan at opensips.org> wrote:
>
> Hi Ryan,
>
> Should I understand the version here
> https://github.com/OpenSIPS/opensips/pull/3760 is quite some
> final, working one ?
>
> Regards,
>
> Bogdan-Andrei Iancu
>
> OpenSIPS Founder and Developer
> https://www.opensips-solutions.com
> https://www.siphub.com
>
> On 15.11.2025 01:07, Ryan Bullock wrote:
>> Initial testing looks ok. You can see the patchset here
>> https://github.com/rrb3942/opensips/tree/tls_mgm_reload
>>
>>
>> On Thu, Nov 13, 2025 at 3:56 PM Matthew Schumacher
>> <schu at schu.net> wrote:
>>
>> That’s helpful. If you message me the patch when you have
>> it, I can help test.
>>
>>> On Nov 13, 2025, at 9:39 AM, Ryan Bullock
>>> <rrb3942 at gmail.com> wrote:
>>>
>>>
>>> Hey Matt,
>>>
>>> OpenSIPs currently only supports tls_reload for domains
>>> managed in a database. Coincidentally I started a patch set
>>> earlier this week to allow reloading the keys, certificates,
>>> etc for domains defined in the config script. No ETA on a
>>> pull request yet, it is still in testing mode.
>>>
>>> On Wed, Nov 12, 2025 at 10:00 PM Matthew Schumacher
>>> <schu at schu.net> wrote:
>>>
>>> Hello All,
>>>
>>> I have a 3.2 server where I can't reload certs. Is this
>>> because I'm not
>>> storing the certs in a database? How can I work around
>>> this? The server
>>> is never idle enough for me to restart and my cert
>>> expires in a few
>>> days. Am I forced to kick people off to restart? Also,
>>> is there a way
>>> to tell opensips to not accept any new calls? I'm not
>>> sure how much that
>>> will help, but it would be good to know.
>>>
>>> Thanks!
>>>
>>>
>>> root at sbc:/etc/opensips# opensips-cli -f
>>> /etc/opensips/opensips-cli.cfg
>>> -x mi tls_reload
>>> ERROR: command 'tls_reload' returned: 500: DB url not set
>>>
>>> root at sbc:/etc/opensips# opensips-cli -f
>>> /etc/opensips/opensips-cli.cfg
>>> -x mi tls_list
>>> {
>>> "Domains": [
>>> {
>>> "name": "client",
>>> "type": "TLS_DOMAIN_CLI",
>>> "IP ADDRESS FILTERS": [
>>> "*"
>>> ],
>>> "SIP DOMAIN FILTERS": [
>>> "*"
>>> ],
>>> "METHOD": "TLSv1_2",
>>> "VERIFY_CERT": true,
>>> "REQ_CLI_CERT": false,
>>> "CRL_CHECKALL": false,
>>> "CERT_FILE":
>>> "/etc/ssl/certs/siptrunk_domain_net.crt",
>>> "CRL_DIR": "",
>>> "CA_FILE":
>>> "/etc/ssl/certs/ca-certificates.crt",
>>> "CA_DIR": "/etc/pki/CA/",
>>> "PKEY_FILE":
>>> "/etc/ssl/certs/siptrunk_domain_net.key",
>>> "CIPHER_LIST": "",
>>> "DH_PARAMS_FILE": "",
>>> "EC_CURVE": ""
>>> },
>>> {
>>> "name": "server",
>>> "type": "TLS_DOMAIN_SRV",
>>> "IP ADDRESS FILTERS": [
>>> "x.x.x.x:5061",
>>> "y.y.y.y:5061"
>>> ],
>>> "SIP DOMAIN FILTERS": [
>>> "*"
>>> ],
>>> "METHOD": "TLSv1_2",
>>> "VERIFY_CERT": false,
>>> "REQ_CLI_CERT": true,
>>> "CRL_CHECKALL": false,
>>> "CERT_FILE":
>>> "/etc/ssl/certs/siptrunk_domain_net.crt",
>>> "CRL_DIR": "",
>>> "CA_FILE":
>>> "/etc/ssl/certs/ca-certificates.crt",
>>> "CA_DIR": "/etc/pki/CA/",
>>> "PKEY_FILE":
>>> "/etc/ssl/certs/siptrunk_domain_net.key",
>>> "CIPHER_LIST": "ALL:!aNULL:!eNULL:!MD5:!RC4",
>>> "DH_PARAMS_FILE": "",
>>> "EC_CURVE": ""
>>> }
>>> ]
>>> }
>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.opensips.org
>>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.opensips.org
>>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>> _______________________________________________
>> Users mailing list
>> Users at lists.opensips.org
>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.opensips.org
>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20251124/e42c7724/attachment-0001.html>
More information about the Users
mailing list