I found some other great posts on here that definitely led me in a direction that landed on a solution, and found that some of the posts (older ones, now closed and don’t accept replies) had some factual errors in some of the commands they recommended. Perhaps things have changed since then, or there was a simple omission. Anyway, I wanted to share the adjustments that worked for me, in case anyone stumbles upon this later on and benefits by it.
My setup is that there’s a box doing a DNS challenge auth with certbot to get a wildcard certificate for our domain since several things are behind the firewall and a normal letsencrypt certbot http challenge won’t work. That box has the cert and is set up to renew it regularly. In /etc/letsencrypt/renewal-hookos/deploy/ I added a bash script that does rsync -avLP over ssh (using an ssh key for authentication) to deploy the current cert, chain, and key from /etc/letsencrypt/live/ to the same place on the target server(s) including our FreePBX server. After doing that, the hook script executes something like this on the FreePBX server to make it import the certificate and use them:
cd /etc/asterisk/keys/
rm -f mydomain*
cp /etc/letsencrypt/live/mydomain.com/chain.pem mydomain-ca-bundle.crt
cp /etc/letsencrypt/live/mydomain.com/cert.pem mydomain.crt
cp /etc/letsencrypt/live/mydomain.com/privkey.pem mydomain.key
cat hammerton.key hammerton.crt > mydomain.pem
chown asterisk:asterisk mydomain*
chmod 600 mydomain*
fwconsole certificates --updateall
fwconsole certificates --import
fwconsole certificates --default=mydomain
fwconsole r
apachectl graceful
I’m not sure if the apache restart is technically necessary, as I think fwconsole r might handle that but wanted to make sure.
I’m super grateful for the community here, it’s helped a ton in getting things up and running. Hopefully this helps someone down the road, like many of the posts here over the last 1-6+ years have helped me.