Cannot get lets encrypt on my new freepbx install

covici · September 2, 2021, 7:16pm

Hi. So, I have a new freepbx install and when I try to use the certbot command, freepbx is returning a 403 when lets encrypt sends the challenge.

Thanks in advance for any suggestions.

dicko · September 2, 2021, 8:17pm

Any useful details of what failed?

sorvani · September 3, 2021, 2:07am

FreePBX does not use certbot

covici · September 3, 2021, 10:54am

I do not understand the reply. Let me rephrase the question, how should I get lets encrypt to work on my freepbx install? I did use it in older freepbx installs. It would be horrible to have to live with http, particularly since when you log in your admin password gets sent.

defcomllc · September 3, 2021, 11:52am

Generate LE cert in Certificate Management…

covici · September 3, 2021, 7:26pm

Well, against my better judgement, I used plain http to login and generated the lets encrypt certificate, and set it as default, but when I say https, it wants to use the self-signed certificate. I would like to fix it so the le cert is used and also, make the browser always go to https even if you say http. How is this done?

defcomllc · September 3, 2021, 7:33pm

In HTTPS setup in SysAdmin

covici · September 3, 2021, 8:23pm

hmmm, I don’t have sysadmin, I installed this in bullseye, so I am not using the distro.

dicko · September 3, 2021, 9:30pm

For apache2 redirection of http to https

https://linuxize.com/post/redirect-http-to-https-in-apache/

and in preparation for valid certs

But before you redirect everything to https, for LE best usage, please read and successfully implement

for what challenges are available to us, if you don’t want to open http on port 80 HTTP-01, then DNS-01 is a possibility (and IMHO a better choice) and can be automated with many popular Name Servers using an enabled client (https://github.com/acmesh-official/acme.sh being my choice) that way you never need to open any port on your PBX.

If you insist on using port 443 then TLS-ALPN-01 , but this is very far from trivial (nor really necessary)

Any way you do it your keys and certs need to end up in /etc/asterisk/keys/*.{crt,key} and

fwconsole cert --help

to use the options necessary to import, update, set the default and so propagate those certs to /etc/asterisk/keys/integration

covici · September 3, 2021, 10:31pm

Well, the certs are in /etc/asterisk/integration and there are certs in /etc/asterisk/keys, not sure what is there, so how do I get apache to use these – if I try https on my server it still seems to think I have a self-signed cert.

The /etc/letsencrypt directory doesn’t look like it does on my other boxes, so I am not sure what goes on here.

dicko · September 3, 2021, 11:19pm

modify to suit in your sites-enabled/www.name-of-site.com

DocumentRoot /var/www/website 
ServerName www.name-of-site.com 
SSLEngine on 
SSLCertificateFile /etc/ssl/crt/primary.crt 
SSLCertificateKeyFile /etc/ssl/crt/private.key 
SSLCertificateChainFile /etc/ssl/crt/intermediate.crt

system · September 10, 2021, 11:25pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.