Generate LE certs from the CLI

Thanks to the efforts of @jerrm and @bpbp, the latest edge version of Certificate Management module allows you to generate a Let’s Encrypt cert using fwconsole:

# fwconsole ma list | grep cert
| certman             | 15.0.34    | Enabled                           | AGPLv3+     |


# fwconsole certificates --generate --type=le --hostname=lorne.redacted.com  --country-code=ca --state=ns [email protected]
Getting list of URLs for API
Requesting new nonce for client communication
Account already registered. Continuing.
Sending registration to letsencrypt server
Sending signed request to https://acme-v02.api.letsencrypt.org/acme/new-acct
Account: https://acme-v02.api.letsencrypt.org/acme/
Starting certificate generation process for domains
Requesting challenge for lorne.redacted.com
... bunch of lines removed ...
Got certificate! YAY!
Saving fullchain.pem
Saving cert.pem
Saving chain.pem
Done !!§§!
Successfully installed Let's Encrypt certificate 'lorne.redacted.com'

Thanks Gentlemen? Humans!

https://issues.freepbx.org/browse/FREEPBX-21943

2 Likes

For now, run an fwconsole chown after creating a cert.

I’ll open a ticket for the fix tomorrow, along with some more functionality.

2 Likes

Fix for the chown issue is at https://git.freepbx.org/plugins/servlet/jira-integration/issues/FREEPBX-21964.

The big addition for this ticket is Subject Alternative Name so a cert can support more than one DNS name, ie a single cert can now support admin.mydomain.com, ucp.mydomain.com, sip.mydomain.com, etc.

Of limited use for the distro with current port-based apache virtual hosts, but makes life much easier for those that use hostname/SNI based virtual hosts.

2 Likes

Does your code allow certificates from other than the primary domain to be issued?

I ask because using such domains, (using SNI not ports), would provide a ‘once removed’ certification for administrative purposes (and provisioning) that is less easily revealed ?
I believe that both TLS transport for calls (and such a transport doesn’t like wild cards/SNA for that purpose) and provisioning would benefit yet still protect MITM attacks inside a possibly compromised LAN.

Call it a kinda 2FA perhaps.

JM2CWAE

It passes the names to the Lescript.php script certman uses and prays.

But, yes, I tested for multi-domain (host.testdomain1.com and host2.testdomain2.com) and got a working cert.

1 Like

( or two ? :slight_smile: )

If anyone cares…

Certman 15.0.35 has just been released to edge. It fixes the chown issues in the original cli 15.0.34 release and adds support for alternative names in the cert.

I recommend running fwconsole chown from the console after installing 15.0.35 if you have used the letsencrypt cli generation in 15.0.34.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.