Thank you to @btbutts and @danb35 for keeping this going. I’m here to update this as per Brian’s question about scripting the sysadmin module to update the cert along with certman. I can confirm that it IS possible. the command is as follows:
fwconsole sa ihc default
I had a slightly different use-case as I have a different server creating wildcard certs and I share those among my several different servers using NFS. My script renews the cert by comparing the cert (hourly through cron.hourly folder) and then copying the new cert and updating the various modules. The script is as follows:
#!/bin/bash
LOGFILE="/var/log/asterisk/letsencrypt_update.log"
CERT_DIR="/path/to/nfs/mounted/cert"
ASTERISK_KEY_DIR="/etc/asterisk/keys"
SSL_PRIVATE_DIR="/etc/ssl/private"
DOMAIN="domain.local"
# Log function
log_message() {
local MESSAGE="$1"
echo "$(date '+%Y-%m-%d %H:%M:%S') - $MESSAGE" >> "$LOGFILE"
logger -t "certificate_update" "$MESSAGE"
}
log_message "Starting certificate update process."
# Check if mounted certificates are newer
if [[ "$CERT_DIR/fullchain.pem" -nt "$ASTERISK_KEY_DIR/$DOMAIN.crt" ]]; then
log_message "New certificates found. Updating..."
# Backup existing certificates
cd "$SSL_PRIVATE_DIR" || exit 1
tar -cvf cert-backup_$(date +%Y-%m-%d_%H.%M.%S).tar asterisk* 2>/dev/null || true
# Convert and prepare certificates
log_message "Converting certificates to required formats..."
# Copy new certs to SSL private directory
cp "$CERT_DIR/fullchain.pem" "$SSL_PRIVATE_DIR/asterisk19-pub.crt"
cp "$CERT_DIR/privkey.pem" "$SSL_PRIVATE_DIR/asterisk19-priv.key"
# Convert to PKCS12 and PEM formats
openssl pkcs12 -export -in "$SSL_PRIVATE_DIR/asterisk19-pub.crt" \
-inkey "$SSL_PRIVATE_DIR/asterisk19-priv.key" \
-out "$SSL_PRIVATE_DIR/asterisk19.p12" \
-name freepbx -password pass:freepbx-lets-encrypt
# Convert private key to RSA format
openssl pkcs8 -topk8 -nocrypt \
-in "$SSL_PRIVATE_DIR/asterisk19-priv.key" \
-out "$SSL_PRIVATE_DIR/asterisk19-priv_rsa.key"
# Convert PKCS12 to PEM
openssl pkcs12 -in "$SSL_PRIVATE_DIR/asterisk19.p12" \
-out "$SSL_PRIVATE_DIR/asterisk19.pem" \
-nodes -password pass:freepbx-lets-encrypt
# Set permissions on SSL private directory
chown root:root "$SSL_PRIVATE_DIR"/*
chmod 664 "$SSL_PRIVATE_DIR"/*
# Copy to FreePBX directory
cd "$ASTERISK_KEY_DIR" || exit 1
tar -cvf cert-backup_$(date +%Y-%m-%d_%H.%M.%S).tar * 2>/dev/null || true
# Copy converted certificates
cp "$SSL_PRIVATE_DIR/asterisk19-priv_rsa.key" "$ASTERISK_KEY_DIR/$DOMAIN.key"
cp "$SSL_PRIVATE_DIR/asterisk19-pub.crt" "$ASTERISK_KEY_DIR/$DOMAIN.crt"
cp "$SSL_PRIVATE_DIR/asterisk19.pem" "$ASTERISK_KEY_DIR/$DOMAIN.pem"
# Set permissions
chown asterisk:asterisk "$ASTERISK_KEY_DIR/$DOMAIN".*
chmod 640 "$ASTERISK_KEY_DIR/$DOMAIN".*
# Import to FreePBX Certman Module
log_message "Importing certificates to FreePBX..."
fwconsole certificates --import
fwconsole certificates --default=0
# Update SysAdmin Module
fwconsole sa ihc default
# Reload FreePBX
log_message "Reloading FreePBX configuration..."
fwconsole reload
log_message "New certificates imported, set as default, and deployed successfully."
else
log_message "No new certificates to import."
fi
log_message "Certificate update process completed."
Feel free to update this for your own use-case or just let me know if you think I’m doing something wrong here. It sure would be nice if Sangoma actually updated Certman to do this natively.