Initial install

[Andrew Wells]

hi everyone, i am very excited to join but have some basic questions

1. I didnt understand why we needed to have 1/2 of an ip, but it appears that it means 1 of 2 ips, i guess one for the proxy and one for the main install, is that correct?

2. I installed using one ip, and have not changed the kam sip ports, but i noticed when it starts, i see a brief error in red, failed to start asterisk service...Obviously, this is very concerning, does it have to do with the two ips..or how would i troubleshoot.

3. https...i see it in the manual, but no references to letsencrypt or acme and i was wondering how tls or webrtc is going to work without certificates, and maybe some are built in, i do not know.

If someone could reply, i would be grateful

[Airsay]

Hello Andrew,

Welcome on board.

I’m not part of the official support team, but I’ll do my best to help you alongside Kaian (Irontec's internal support contact here). Please note that my responses are based on personal experience working with IvozProvider in lab environments, and not official guidance from Factoria/Irontec.

---

1. Two Public IPs – Why?

I understand the confusion around the "1/2 IP" comment. What it really means is that IvozProvider requires two public IP addresses:

• Trunk IP – used to connect to your PSTN/trunk providers

• Client IP – used by your end users to register and make calls

This separation improves security. For example, you can lock down the trunk IP to allow traffic only from specific SIP providers, while still allowing broader access to the client IP for your users.

While the documentation states it’s technically possible to run with a single public IP (by remapping ports, e.g., KamTrunks on 7060/7061 instead of 5060/5061), my own experience has been that it's more fragile and harder to maintain. I strongly recommend using two public IPs — it’s far easier to manage.

---

2. Asterisk Service Fails on Boot?

Yes — if you installed with a single IP and didn’t update KamTrunks to use alternate ports (e.g., 7060/7061), you will get port conflicts, which can cause services like Asterisk to fail at startup.

To confirm what's going wrong:

journalctl -xe systemctl status asterisk

Also check whether Kamailio and Asterisk are fighting for port 5060. Again, the cleaner solution is to allocate two IPs — one for KamUsers, the other for KamTrunks — to avoid any port conflict.

---

3. TLS Certificates / Let’s Encrypt

You're correct — the documentation doesn't walk through certificate automation. Here's what I use to get Let's Encrypt working with wildcard domains:

Install Certbot:

sudo apt update && sudo apt upgrade -y sudo apt install certbot -y

Generate a wildcard cert using DNS-01 challenge:

sudo certbot certonly --manual --preferred-challenges dns -d "*.yourdomain.com"

If supporting multiple domains:

sudo certbot certonly --manual --preferred-challenges dns -d "*.yourdomain.com" -d "*.yourdomain2.com" (etc)

If adding more domains in future:

sudo certbot certonly --manual --preferred-challenges dns --expand  -d "*.yourdomain.com" -d "*.resellerdomain.com" -d "*.reseller2domain.com" (etc)

Your certificates will be stored in:

/etc/letsencrypt/live/yourdomain.com/

├── fullchain.pem ← Certificate

└── privkey.pem ← Private Key

---

To apply TLS to Ivoz:

1. Apache Configuration
Edit /etc/apache2/sites-available/020-ivozprovider-portal.conf
Under <VirtualHost *:443>, set:

SSLCertificateFile /etc/letsencrypt/live/yourdomain.com/fullchain.pem

SSLCertificateKeyFile /etc/letsencrypt/live/yourdomain.com/privkey.pem

2. Kamailio Proxy Trunks/Users

Rename:

mv /etc/kamailio/proxytrunk/tls.cfg.in /etc/kamailio/proxytrunk/tls.cfg

mv /etc/kamailio/proxyusers/tls.cfg.in /etc/kamailio/proxyusers/tls.cfg

Then update each tls.cfg:

private_key=/etc/letsencrypt/live/yourdomain.com/privkey.pem

certificate=/etc/letsencrypt/live/yourdomain.com/fullchain.pem

Restart affected services after this:

systemctl restart apache2 

systemctl restart kamailio-proxytrunk 

systemctl restart kamailio-proxyusers

---

Hope this helps get you moving forward. Let me know if anything’s unclear — happy to share more of what I’ve learned.

Best regards,
airsay

---

[Andrew Wells]

Fantastic help, i will make those changes and report back.

Thanks again.

[Andrew Wells]

2. Asterisk fails on boot...even after changing the config and using one ip for the sip proxy and one for the sip providers proxy

root@ivozprovider-standalone:~# journalctl -xe systemctl status asterisk
Failed to add match 'systemctl': Invalid argument

journalctl --verify---it passed...

but i dont know what to do next...

3. TLS certficates/lets encrypt

I am stuck here mostly because of the /etc/apt/sources.list which contains 

deb cdrom:[Debian GNU/Linux 12 _Bookworm_ - Unofficial amd64 DVD Binary-1 20250114-16:41]/ bookworm main

 

I actually put an # in front of this and added the regular repositories but it keeps coming back to Irontec. I guess because of the installation, so i am sure there is a quick resolution that i am not aware of.

Thanks

On Monday, 5 May 2025 at 01:39:15 UTC-4 airsay...@gmail.com wrote:

[Airsay]

Andrew,

Walk me through the steps you have followed to install ivozprovider. You are using a fresh instance of Debian 12 (Bookworm) with two NICs correct? And this is a vanilla Debian 12, preferably obtained from the Debian website right?

The highlighted makes me believe you could be using a custom version:

deb cdrom:[Debian GNU/Linux 12 _Bookworm_ - Unofficial amd64 DVD Binary-1 20250114-16:41]

You should be using: https://cdimage.debian.org/debian-cd/current/amd64/iso-dvd/debian-12.10.0-amd64-DVD-1.iso

I notice that for some reason, Debian 12 has a locales "issue". So after a fresh install of Debian 12, I run 

dpkg-reconfigure locales (and select en_US.UTF8 as my preferred/default locale)

Also, is your network service running? (systemctl status networking.service)

Regards

airsay

[Andrew Wells]

HI Airsay,

thin

I downloaded the install from the github site, https://github.com/irontec/ivozprovider?tab=readme-ov-file#, , not debian, ivozprovider-4.3~4.3.0-tempest-amd64.iso and followed the instructions. The only thing i changed after the fact was to add the secondary ip address, as that was not clear to me.
i believe the install dictates the souces.list as mentioned as when i changed it to vanilla debian it kept going back to ivoz provider....

I tried the following and dont know what else to do to resolve it.

_____________________________________________________________________________________

i changed /etc/apt/sources.list to

                                                                                        

##deb cdrom:[Debian GNU/Linux 12 _Bookworm_ - Unofficial amd64 DVD Binary-1 20250114-16:41]/ bookworm main

deb http://deb.debian.org/debian bookworm main contrib non-free-firmware
deb http://deb.debian.org/debian bookworm-updates main contrib non-free-firmware
deb http://security.debian.org/debian-security bookworm-security main contrib non-free-firmware
deb http://deb.debian.org/debian bookworm-backports main contrib non-free-firmware

This is the result:

sudo apt update && sudo apt upgrade -y sudo apt install certbot -y

Ign:1 http://security.debian.org/debian-security bookworm-security InRelease                              
Ign:2 http://packages.irontec.com/debian tempest InRelease                                                
Ign:3 http://deb.debian.org/debian bookworm InRelease                
Ign:4 http://deb.debian.org/debian bookworm-updates InRelease                                            
Ign:1 http://security.debian.org/debian-security bookworm-security InRelease                              
Ign:2 http://packages.irontec.com/debian tempest InRelease                
Ign:5 http://deb.debian.org/debian bookworm-backports InRelease                                          
Ign:1 http://security.debian.org/debian-security bookworm-security InRelease                              
Ign:2 http://packages.irontec.com/debian tempest InRelease                
Ign:3 http://deb.debian.org/debian bookworm InRelease                                                    
Err:1 http://security.debian.org/debian-security bookworm-security InRelease                              
  Temporary failure resolving 'security.debian.org'
Err:2 http://packages.irontec.com/debian tempest InRelease                
  Temporary failure resolving 'packages.irontec.com'

___________________________________________________________________________________________________________________________________

I changed the /etc/apt/sources.list to:

deb cdrom:[Debian GNU/Linux 12 _Bookworm_ - Unofficial amd64 DVD Binary-1 20250114-16:41]/ bookworm main

deb http://deb.debian.org/debian bookworm main contrib non-free-firmware
deb http://deb.debian.org/debian bookworm-updates main contrib non-free-firmware
deb http://security.debian.org/debian-security bookworm-security main contrib non-free-firmware
deb http://deb.debian.org/debian bookworm-backports main contrib non-free-firmware

This is the result:

Ign:1 cdrom://[Debian GNU/Linux 12 _Bookworm_ - Unofficial amd64 DVD Binary-1 20250114-16:41] bookworm InRelease
Err:2 cdrom://[Debian GNU/Linux 12 _Bookworm_ - Unofficial amd64 DVD Binary-1 20250114-16:41] bookworm Release
  Please use apt-cdrom to make this CD-ROM recognized by APT. apt-get update cannot be used to add new CD-ROMs
Ign:3 http://security.debian.org/debian-security bookworm-security InRelease                              
Ign:4 http://packages.irontec.com/debian tempest InRelease                                                
Ign:5 http://deb.debian.org/debian bookworm InRelease                
Ign:6 http://deb.debian.org/debian bookworm-updates InRelease                                            
Ign:3 http://security.debian.org/debian-security bookworm-security InRelease                              
Ign:4 http://packages.irontec.com/debian tempest InRelease                
Ign:7 http://deb.debian.org/debian bookworm-backports InRelease                                          
Ign:3 http://security.debian.org/debian-security bookworm-security InRelease                              
Ign:4 http://packages.irontec.com/debian tempest InRelease                
Ign:5 http://deb.debian.org/debian bookworm InRelease                                                    
Err:4 http://packages.irontec.com/debian tempest InRelease                                                
  Temporary failure resolving 'packages.irontec.com'
Err:3 http://security.debian.org/debian-security bookworm-security InRelease
  Temporary failure resolving 'security.debian.org'
Ign:6 http://deb.debian.org/debian bookworm-updates InRelease
Ign:7 http://deb.debian.org/debian bookworm-backports InRelease
Ign:5 http://deb.debian.org/debian bookworm InRelease
Ign:6 http://deb.debian.org/debian bookworm-updates InRelease
Ign:7 http://deb.debian.org/debian bookworm-backports InRelease
Err:5 http://deb.debian.org/debian bookworm InRelease
  Temporary failure resolving 'deb.debian.org'
Err:6 http://deb.debian.org/debian bookworm-updates InRelease
  Temporary failure resolving 'deb.debian.org'
Err:7 http://deb.debian.org/debian bookworm-backports InRelease
  Temporary failure resolving 'deb.debian.org'
Reading package lists... Done    
E: The repository 'cdrom://[Debian GNU/Linux 12 _Bookworm_ - Unofficial amd64 DVD Binary-1 20250114-16:41] bookworm Release' does not have a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

_____________________________________________________________________________________________________________________

Regarding the network service:

systemctl status networking.service
● networking.service - Raise network interfaces
     Loaded: loaded (/lib/systemd/system/networking.service; enabled; preset: enabled)
     Active: active (exited) since Mon 2025-05-05 20:03:43 EDT; 12h ago
       Docs: man:interfaces(5)
    Process: 476 ExecStart=/sbin/ifup -a --read-environment (code=exited, status=0/SUCCESS)
    Process: 583 ExecStart=/bin/sh -c if [ -f /run/network/restart-hotplug ]; then /sbin/ifup -a --read-environment --allow=hotplug; fi (code=exited, status=0/SUCCESS)
   Main PID: 583 (code=exited, status=0/SUCCESS)
      Tasks: 0 (limit: 19142)
     Memory: 8.5M
        CPU: 218ms
     CGroup: /system.slice/networking.service

May 05 20:03:43 ivozprovider-standalone systemd[1]: Starting networking.service - Raise network interfaces...
May 05 20:03:43 ivozprovider-standalone systemd[1]: Finished networking.service - Raise network interfaces.

Sould i reinstall using debian 12, as i am really confused on how to proceed as i cannot install any packages and asterisk isnt running.

[Airsay]

Andrew, I have not had success using the official iso. Especially for v4.3. I had flagged that in a previous thread, but the Single instance iso isn't top priority so I understand why it may not get looked into.

My install has mostly been directly on Debian 12 downloaded from the Debian website. Set up a fresh instance of Debian 12 (is this on Proxmox? you can use the Debian 12 qcow2 images to speed that install up). Assign two NICs, with static IPs then rock and roll with https://irontec.github.io/ivozprovider/en/basic_concepts/installation/debian_install.html

Some prework before "rocking and rolling":

Debian 12 seems to have some issues with locales. Fix it with

dpkg-reconfigure locales (select en_US.UTF8 and make it your default,, just follow the prompts)_

Set timezone

dpkg-reconfigure tzdata (select your timezone)

Critically (and this used to be my secret sauce, but I will put it out there) ensure you have Linux headers installed (otherwise RTPEngine will bite you down the line)

apt install -y linux-headers-$(uname -r)

Then you can rock and roll

wget http://packages.irontec.com/public.key -q -O /etc/apt/trusted.gpg.d/irontec-debian-repository.asc

cd /etc/apt/sources.list.d
echo deb http://packages.irontec.com/debian tempest main extra > ivozprovider.list

apt-get update
apt-get install ivozprovider

During the install (much later after all the necessary dependencies have been installed) you will get a prompt to enter a password for the root account for Mysql.

Ensure you remember it as you will need to enter it again in the Configure IvozProvider screen:

Ensure to enter the two (different addresses) for Users Proxy and Providers Proxy

After install, ensure that all services are running with

systemctl status

If you see degraded, list all failed services

systemctl list-units --failed

Hope that helps

BR

airsay

[Andrew Wells]

Thanks man, i will re-install, i think it is the best path...regarding the proxmox download, this is for a vm not proxmox itself, as i just did a quick search and i cannot find a special download for debian vm on proxmox...am i missing something here.

If not, i have install regular debian several times, i will proceed with, thanks again for all your input.

[Airsay]

Andrew,

With Proxmox, I hate going through the click-click-click to get a new Debian instance installed. So I download the qcow2 file from Debian cloud, install it as a HDD for a VM instance, start the VM and I'm at the command line in seconds. Happy to share my process if you are interested.

Sent from my iPhone

On 6 May 2025, at 18:27, Andrew Wells <koola...@gmail.com> wrote:

Thanks man, i will re-install, i think it is the best path...regarding the proxmox download, this is for a vm not proxmox itself, as i just did a quick search and i cannot find a special download for debian vm on proxmox...am i missing something here.

--
You received this message because you are subscribed to a topic in the Google Groups "ivozprovider-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ivozprovider-users/ak11VpBN7no/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ivozprovider-us...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/ivozprovider-users/f9c042f0-a7ec-4595-9e8f-1bb4137391c0n%40googlegroups.com.

[Andrew Wells]

HI Airsay, i didnt see your offer for help. I have spent hours on this with the help of askleo on brave and even deepseek ai and it never works. I have posted how to do this in proxmox, but i have a feeling that they are going to tell me it is a debian issue, even thought debian on bare metal would have two separate lan cables....i digress...i am completely stuck as i have install proxmox vm ( and some containers) at least 100x but never with two nics

[Airsay]

Andrew,

I am in the middle of a single-node, proof-of-concept pilot deployment for a very warm prospect. So I'm kind fresh with this. What is your project about?

Sent from my iPhone

On 8 May 2025, at 18:17, Andrew Wells <koola...@gmail.com> wrote:

HI Airsay, i didnt see your offer for help. I have spent hours on this with the help of askleo on brave and even deepseek ai and it never works. I have posted how to do this in proxmox, but i have a feeling that they are going to tell me it is a debian issue, even thought debian on bare metal would have two separate lan cables....i digress...i am completely stuck as i have install proxmox vm ( and some containers) at least 100x but never with two nics

To view this discussion visit https://groups.google.com/d/msgid/ivozprovider-users/1936e283-6ef6-4fb0-8e19-b834d201e2c4n%40googlegroups.com.

[Andrew Wells]

i am just testing it...but unless i can use two ips on one NIC, i am done. I have wasted too much time and no further ahead. Can you let me know if that works, as i have tried for hours trying to get 2 ips two nics working and it never works.If not, so be it.

Thanks