Cert for SIP RFC 5922

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

thanos.babblevoice.com

I ran this command:

certbot certonly --manual --preferred-challenges=dns -d thanos.babblevoice.com -d sip:thanos.babblevoice.com -d sip:bling.babblevoice.com --duplicate

It produced this output:

Plugins selected: Authenticator manual, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
An unexpected error occurred:
The server will not issue certificates for the identifier :: Error creating new order :: Cannot issue for “sip”: Domain name needs at least one dot
Please see the logfiles in /var/log/letsencrypt for more details.

My web server is (include version):

CentOS 7

The operating system my web server runs on is (include version):

Freeswitch

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

certbot 1.3.0

I am trying to configure FS for use with TLS but I am struggling. SSL/TLS I have a working knowledge - ut not in-depth. I have generated a cert which appears to work - browsers like A WebSocket server running with it.

RFC 5922 has the matching protocol for SIP clients to perform to verify any certificate presented. 7.1. Finding SIP Identities in a Certificate.

URI If the scheme of the URI is not “sip”, then the implementation MUST NOT accept the value as a SIP domain identity.

When I try to add sip: URI to the certbot command it returns that error.

Hi,

I think the way URI scheme SIP is similiar to URI HTTPS or HTTP, and according to a tutorial i searched online (I don’t have experience with configuring SIP), there should have no problem using a Let’s Encrypt certificate with SIP.
So the command should simply be: certbot certonly --manual --preferred-challenges=dns -d thanos.babblevoice.com -d bling.babblevoice.com --duplicate

Tutorial i found: https://campus.barracuda.com/product/campus/doc/29819546/how-to-create-certificates-for-the-sip-proxy/

P.S. I might be wrong, but if SIP certificate requires a new URI in SAN, there should be a bunch of commercial CAs selling SIP certificate.

The CA/B Forum Baseline Requirements only allow dNSName and iPAddress as SubjectAltName types, not an URI.

1 Like

Also: rfc822Name for email😂

Thanks all. Your comments definitly helped.

The RFC is misleading on this point. After much frigging about with phone and server settings the normal -d method works fine.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.