Let’s Encrypt, DNS challenge, and scripting?: Update 2025

Thank you to @btbutts and @danb35 for keeping this going. I’m here to update this as per Brian’s question about scripting the sysadmin module to update the cert along with certman. I can confirm that it IS possible. the command is as follows:

fwconsole sa ihc default

I had a slightly different use-case as I have a different server creating wildcard certs and I share those among my several different servers using NFS. My script renews the cert by comparing the cert (hourly through cron.hourly folder) and then copying the new cert and updating the various modules. The script is as follows:

#!/bin/bash

LOGFILE="/var/log/asterisk/letsencrypt_update.log"
CERT_DIR="/path/to/nfs/mounted/cert"
ASTERISK_KEY_DIR="/etc/asterisk/keys"
SSL_PRIVATE_DIR="/etc/ssl/private"
DOMAIN="domain.local"

# Log function
log_message() {
  local MESSAGE="$1"
  echo "$(date '+%Y-%m-%d %H:%M:%S') - $MESSAGE" >> "$LOGFILE"
  logger -t "certificate_update" "$MESSAGE"
}

log_message "Starting certificate update process."

# Check if mounted certificates are newer
if [[ "$CERT_DIR/fullchain.pem" -nt "$ASTERISK_KEY_DIR/$DOMAIN.crt" ]]; then
  log_message "New certificates found. Updating..."

  # Backup existing certificates
  cd "$SSL_PRIVATE_DIR" || exit 1
  tar -cvf cert-backup_$(date +%Y-%m-%d_%H.%M.%S).tar asterisk* 2>/dev/null || true

  # Convert and prepare certificates
  log_message "Converting certificates to required formats..."

  # Copy new certs to SSL private directory
  cp "$CERT_DIR/fullchain.pem" "$SSL_PRIVATE_DIR/asterisk19-pub.crt"
  cp "$CERT_DIR/privkey.pem" "$SSL_PRIVATE_DIR/asterisk19-priv.key"

  # Convert to PKCS12 and PEM formats
  openssl pkcs12 -export -in "$SSL_PRIVATE_DIR/asterisk19-pub.crt" \
    -inkey "$SSL_PRIVATE_DIR/asterisk19-priv.key" \
    -out "$SSL_PRIVATE_DIR/asterisk19.p12" \
    -name freepbx -password pass:freepbx-lets-encrypt

  # Convert private key to RSA format
  openssl pkcs8 -topk8 -nocrypt \
    -in "$SSL_PRIVATE_DIR/asterisk19-priv.key" \
    -out "$SSL_PRIVATE_DIR/asterisk19-priv_rsa.key"

  # Convert PKCS12 to PEM
  openssl pkcs12 -in "$SSL_PRIVATE_DIR/asterisk19.p12" \
    -out "$SSL_PRIVATE_DIR/asterisk19.pem" \
    -nodes -password pass:freepbx-lets-encrypt

  # Set permissions on SSL private directory
  chown root:root "$SSL_PRIVATE_DIR"/*
  chmod 664 "$SSL_PRIVATE_DIR"/*

  # Copy to FreePBX directory
  cd "$ASTERISK_KEY_DIR" || exit 1
  tar -cvf cert-backup_$(date +%Y-%m-%d_%H.%M.%S).tar * 2>/dev/null || true

  # Copy converted certificates
  cp "$SSL_PRIVATE_DIR/asterisk19-priv_rsa.key" "$ASTERISK_KEY_DIR/$DOMAIN.key"
  cp "$SSL_PRIVATE_DIR/asterisk19-pub.crt" "$ASTERISK_KEY_DIR/$DOMAIN.crt"
  cp "$SSL_PRIVATE_DIR/asterisk19.pem" "$ASTERISK_KEY_DIR/$DOMAIN.pem"

  # Set permissions
  chown asterisk:asterisk "$ASTERISK_KEY_DIR/$DOMAIN".*
  chmod 640 "$ASTERISK_KEY_DIR/$DOMAIN".*

  # Import to FreePBX Certman Module
  log_message "Importing certificates to FreePBX..."
  fwconsole certificates --import
  fwconsole certificates --default=0
  # Update SysAdmin Module
  fwconsole sa ihc default

  # Reload FreePBX
  log_message "Reloading FreePBX configuration..."
  fwconsole reload

  log_message "New certificates imported, set as default, and deployed successfully."
else
  log_message "No new certificates to import."
fi

log_message "Certificate update process completed."


Feel free to update this for your own use-case or just let me know if you think I’m doing something wrong here. It sure would be nice if Sangoma actually updated Certman to do this natively.

1 Like