I’m having trouble renewing a locally imported cert in FreePBX.
It’s a Let’s Encrypt cert, and I would love to use FreePBX’s built in support for LE, but I need the same cert to have multiple Subject Alt Names, and I don’t think FreePBX’s implementation supports that. So, I have a cron job that renews the cert and then uses a deploy hook to update it in FreePBX as described in the cerbot docs here.
The only problem is I can’t get my deploy hook script to work. After I copy the updated cert and key to /etc/asterisk/keys and set appropriate ownership and permissions, I run fwconsole certificates import. But, I get an error:
No Certificates to import. Try placing a certificate (.crt) and its key (.crt) into /etc/asterisk/keys
I double checked that the correct files are in place, and they are (btw, there is a typo in the error message, one of the example file names should end in .key). I was only able to get it to work after I manually deleted the cert from the UI. But, as far as I can tell, you can’t delete a cert using fwconsole, and even if you could you would still need a way to reselect the new version of the cert in the transport config.
So, is there a way to automatically renew a locally imported cert in FreePBX?
/**
* Validate and import a certificate
*
* IF any private key has a passphrase this WILL strip the passphrase!!
*
* @param string $name The certificate basename
* @param string $privateKey RAW Private Key
* @param string $signedCertificate RAW Signed Certificate
* @param string $certificateChain RAW Certificate Chain
* @param string $passphrase Passphrase to decrypt private key
*/
public function importCertificate($name,$privateKey,$signedCertificate,$certificateChain='',$passphrase='')
Good question. In the FreePBX PJSIP settings, you are only allowed to select a single cert for the TLS transport. I need to the server to be accessible from a couple different URLs, so while I could easily generate an LE cert for each URL, I can only choose one of them to be presented by PJSIP.
Thanks for the answer. I do not deal with multi-tenant (only good reason I can think of, you may have another.) systems, so I never have a problem with a single cert for everyone connecting.