Cannot get lets encrypt on my new freepbx install


(John Covici) #1

Hi. So, I have a new freepbx install and when I try to use the certbot command, freepbx is returning a 403 when lets encrypt sends the challenge.

Thanks in advance for any suggestions.


#2

Any useful details of what failed?


(Jared Busch) #3

FreePBX does not use certbot


(John Covici) #4

I do not understand the reply. Let me rephrase the question, how should I get lets encrypt to work on my freepbx install? I did use it in older freepbx installs. It would be horrible to have to live with http, particularly since when you log in your admin password gets sent.


(Defcomllc) #5

Generate LE cert in Certificate Management…


(John Covici) #6

Well, against my better judgement, I used plain http to login and generated the lets encrypt certificate, and set it as default, but when I say https, it wants to use the self-signed certificate. I would like to fix it so the le cert is used and also, make the browser always go to https even if you say http. How is this done?


(Defcomllc) #7

In HTTPS setup in SysAdmin


(John Covici) #8

hmmm, I don’t have sysadmin, I installed this in bullseye, so I am not using the distro.


#9

For apache2 redirection of http to https

https://linuxize.com/post/redirect-http-to-https-in-apache/

and in preparation for valid certs

But before you redirect everything to https, for LE best usage, please read and successfully implement

for what challenges are available to us, if you don’t want to open http on port 80 HTTP-01, then DNS-01 is a possibility (and IMHO a better choice) and can be automated with many popular Name Servers using an enabled client (https://github.com/acmesh-official/acme.sh being my choice) that way you never need to open any port on your PBX.

If you insist on using port 443 then TLS-ALPN-01 , but this is very far from trivial (nor really necessary)

Any way you do it your keys and certs need to end up in /etc/asterisk/keys/*.{crt,key} and

fwconsole cert --help

to use the options necessary to import, update, set the default and so propagate those certs to /etc/asterisk/keys/integration


(John Covici) #10

Well, the certs are in /etc/asterisk/integration and there are certs in /etc/asterisk/keys, not sure what is there, so how do I get apache to use these – if I try https on my server it still seems to think I have a self-signed cert.

The /etc/letsencrypt directory doesn’t look like it does on my other boxes, so I am not sure what goes on here.


#11

modify to suit in your sites-enabled/www.name-of-site.com

DocumentRoot /var/www/website 
ServerName www.name-of-site.com 
SSLEngine on 
SSLCertificateFile /etc/ssl/crt/primary.crt 
SSLCertificateKeyFile /etc/ssl/crt/private.key 
SSLCertificateChainFile /etc/ssl/crt/intermediate.crt

(system) closed #12

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.