Let's Encrypt certificate

Distro Discussion & Help
1

When I use the FreePBX distro Certificate Manager to create a “Let’s Encrypt” SSL certificate for domain abc.com I get a validation error for https://www.abc.com (https://abc.com works) and if I create the certificate for www.abc.com I get the browser error for https://abc.com.

SSL_ERROR_BAD_CERT_DOMAIN
www.abc.com uses an invalid security certificate. The certificate is only valid for abc.com

Seems that the certificate does not recognize abc.com and www.abc.com as the same domain.

2

That is correct. “www” is a sub domain. The certificate will only work for one (at this time) you should redirect the other.

3

OK. Thanks but “Let’s Encrypt” allows to generate one certificate which will be valid for both www.domain.tld and domain.tld so we just need to update the Certificate Manager in FreePBX for the required syntax -“d www.domain.tld -d domain.tld”

4

I understand how let’s encrypt works. At this time the module does not support that.

Also that syntax doesn’t work for freepbx.

5

A lot of design decisions in FreePBX are based around ‘Your PBX only does one thing’. This allows you (and us!) to tighten the security dramatically, without adding onerous requirements to the clients. In this specific case, it’s expected that you would be using https://pbx.example.com for your pbx, and another, totally separate machine, for https://example.com and https://www.example.com

However, honestly, if you really think it’s needed, we wouldn’t refuse a pull request with the changes to support multiple names in the certificate, but (to me) it seems like you’re approaching this wrong from the very start. (I mean, seriously, AWS will give you a free tiny VM for a year, just for signing up with them. Host your website there)

2 Likes
6

Thanks. On a follow up.

LetsEncrypt requires the following hosts to be permitted for inbound http access:
outbound1.letsencrypt.org, outbound2.letsencrypt.org, mirror1.freepbx.org, mirror2.freepbx.org

Is it enough to open port 80 in the firewall or does it require any other ports? e.g.
-A INPUT -p tcp -s outbound1.letsencrypt.org --dport 80 -j ACCEPT
etc…