Do i need a valid fqdn for the hostname of the freepbx to generate LE Certificate ?
Yes you do.
Is that fqdn has to me match the external ip @ confg into EPM ?
Depending on how you are using the certificate but typically that’s how it works.
Just need to use https so my p320 sangoma can work on queue
Indeed my call center will need to wait …
You don’t have to use a Let’s Encrypt certificate though. If you want to manually manage it you could create one outside of your FreePBX instance and import the keys manually and use the manually imported certificate instead.
Woaw … That s sound good !!!
I do have fqdn running outsite my Freepbx instance , i will try it out …
Do you have a good manual guide ?
Yea, the FreePBX Wiki has some steps for the different methods of getting an SSL certificate:
https://wiki.freepbx.org/display/FPG/Certificate+Management+User+Guide
Cool, We that being sait ,do i need to still leave the external ip @ set under EPM actually ?
Depends on where your phones live. Typically you need to use a fqdn in conjunction with SSLs. If it’s phones that are internal to your network then you’ll need to have an internal DNS server properly pointing the fqdn to the internal IP of the phone system. If the phones are externally located then you’ll need to manage this externally and have the appropriate ports forwarded for the phones to be able to provision and connect properly.
Asterisk’s TLS transport, unlike an https browser, is not as strict with your who your CA is, self-signed certificates should pass muster if the name used to connect is matched to the name on the cert.
He is not talking about the asterisk transport though. This is for Sangoma P phone provisioning and apps.
Likely provisioning would also work, True for restapps though,
Yea, not sure how strict the phones are when it comes to connecting to a provisioning server over https and the the FQDN/IP needing to match the SSL cert exactly.
You can also serve those all as unsecured TCP connections to a reverse proxy and have the proxy certify and strip the "S"ecure layer to such a TCP service
For LE certificate, you can use your IP address in the format of xxx.xxx.xxx.xxx.nip.io and would be sufficient
Error creating new order :: too many certificates already issued for “nip.io”. Retry after 2023-07-07T21:00:00Z: see Rate Limits - Let's Encrypt
- lechecker: Pest_Curl_Exec - Operation timed out after 30001 milliseconds with 0 out of -1 bytes received
Seems this method going to work until i got rejected .
Do you have the correct ports forwarded to your pbx on the firewall to allow for cert verification? That’s done on port 80 TCP.
dig +short nip.io returns ‘116.203.255.68’
I doubt if you have domain over 116.203.255.68 though, hence the errors/failure, nip.io will resolve your device as a single level “subdomain” of nip.io relevant to the IP address you register with them, so not for wild cards nor the apex domain itself, apparently ‘too many’ others are making that same mistake.
This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.