Hi, we have a public domain with a wildcard certificate (*.ourdomain.com) that we purchased from GoDaddy.
I made a public DNS entry that resolves to our phone server’s private IP (phones.ourdomain.com resolves to 192.168.1.x), so that it only resolves if the user is on our network or VPN, which is how I want it.
Our web guy gave me the “.crt” certificate file, so how can I remove all the current FreePBX Distro self-signed certs, and install just this one? If I go into “System Admin -> HTTPS Setup -> Install Cert” and paste it in as a certificate, FreePBX still acts as if it is a self-signed certificate. The end result is that I want Chrome to give us the nice HTTPS “green lock icon”, so that our UCP scripts can execute properly.
OK, thanks, I do have the key file as well. I didn’t mention it because the web guy (incorrectly, apparently) told me I wouldn’t need it.
Does anyone know the actual steps then to insert our cert and key file? There’s nothing in the wiki for putting in our own; as I was saying, if I use the GUI then FreePBX still acts like it is self-signed.
What I mean is, in (System Admin -> HTTPS Setup -> Install Cert), there’s only fields to paste in the certificate, and paste in the “Trusted Chain” if applicable, nothing about the key.
If there were non-GUI instructions like “SSH into the server, delete the old cert out of this directory, name your CA-signed cert and key to these file names and drop them here”, I could certainly handle that, but I can’t seem to Google a definitive answer.
Well, pasting them into the “Install Cert” GUI didn’t work, but I did sit down with the web guy and we figured out how to do it in the SSH.
The answers are all in /etc/httpd/conf.d/ssl.conf
You have to use a text editor like vim, create a .crt file in /etc/pki/tls/certs/ then paste in the text from your crt file, then do the same for the .key file in /etc/pki/tls/private/ and finally edit the ssl.conf to comment out the old CRT and KEY and put in the paths to the new ones you make, like so:
Server Certificate:
Point SSLCertificateFile at a PEM encoded certificate. If
the certificate is encrypted, then you will be prompted for a
pass phrase. Note that a kill -HUP will prompt again. A new
certificate can be generated using the genkey(1) command.
Are you using FreePBX 13? If so I am tasked with fixing this and making it easier. Starting today. For HTTPS/TLS/STRP and others. Maybe there will be something by the end of this week
I am using FreePBX 13 Distro, yes. I’m all set for now, but I do appreciate your work with the GUI… I’m a Windows admin by trade so I have to fumble around and ask other employees for help when the GUI can’t handle something and I have to use the CLI.
Easy SRTP setup would be cool; our primary trunk Twilio supports it.
Actually, I could still use some more help… even though I got the HTTPS certificate working and Chrome is cool with it, it still tosses up the “Scripts from Unauthenticated Sources” shield icon in UCP, because UCP is apparently serving content from "http://ourdomain.com:8001/socket.io/?" and that needs to be HTTPS when it is just HTTP.
I’m also asking iSymphony for the exact steps to enable SSL on their portal; that one looks like a real bear as they have their own security.xml and the iSymphony FreePBX Module as well.
So, anything to make those procedures a little easier (or at least a real walkthrough) would be awesome. If I figure it out first I’ll be happy to post steps here as always.
@tm1000 has spent the last few days of his life caring deeply about X509, PKI and TLS. I’m pretty sure he’s wishing he never dived down this rabbit hole, but when he emerges, everything’s going to be kittens and butterflies.