Generate LE certs from the CLI


(Lorne Gaetz) #1

Thanks to the efforts of @jerrm and @bpbp, the latest edge version of Certificate Management module allows you to generate a Let’s Encrypt cert using fwconsole:

# fwconsole ma list | grep cert
| certman             | 15.0.34    | Enabled                           | AGPLv3+     |


# fwconsole certificates --generate --type=le --hostname=lorne.redacted.com  --country-code=ca --state=ns --email=lgaetz@redacted.com
Getting list of URLs for API
Requesting new nonce for client communication
Account already registered. Continuing.
Sending registration to letsencrypt server
Sending signed request to https://acme-v02.api.letsencrypt.org/acme/new-acct
Account: https://acme-v02.api.letsencrypt.org/acme/
Starting certificate generation process for domains
Requesting challenge for lorne.redacted.com
... bunch of lines removed ...
Got certificate! YAY!
Saving fullchain.pem
Saving cert.pem
Saving chain.pem
Done !!§§!
Successfully installed Let's Encrypt certificate 'lorne.redacted.com'

Thanks Gentlemen? Humans!

https://issues.freepbx.org/browse/FREEPBX-21943


#2

For now, run an fwconsole chown after creating a cert.

I’ll open a ticket for the fix tomorrow, along with some more functionality.


#3

Fix for the chown issue is at https://git.freepbx.org/plugins/servlet/jira-integration/issues/FREEPBX-21964.

The big addition for this ticket is Subject Alternative Name so a cert can support more than one DNS name, ie a single cert can now support admin.mydomain.com, ucp.mydomain.com, sip.mydomain.com, etc.

Of limited use for the distro with current port-based apache virtual hosts, but makes life much easier for those that use hostname/SNI based virtual hosts.


#4

Does your code allow certificates from other than the primary domain to be issued?

I ask because using such domains, (using SNI not ports), would provide a ‘once removed’ certification for administrative purposes (and provisioning) that is less easily revealed ?
I believe that both TLS transport for calls (and such a transport doesn’t like wild cards/SNA for that purpose) and provisioning would benefit yet still protect MITM attacks inside a possibly compromised LAN.

Call it a kinda 2FA perhaps.

JM2CWAE


#5

It passes the names to the Lescript.php script certman uses and prays.

But, yes, I tested for multi-domain (host.testdomain1.com and host2.testdomain2.com) and got a working cert.


#6

( or two ? :slight_smile: )