I have my FreePBX 15 system behind a firewall, and have no intention of opening port 80 to the world as Let’s Encrypt has always required–unfortunately, this means I can’t use the built-in certificate management to obtain and renew a cert from Let’s Encrypt. However, I’m entirely comfortable with the DNS challenge; I’m using that to get certs for probably a couple dozen devices on my LAN. I only found one earlier topic (Let's encrypt dns challenge) discussing this, but that left it at “no, FreePBX doesn’t do the DNS challenge.” Well and good, but is there any other way to automate the process?
It’s relatively trivial to install acme.sh, certbot, or some other client and get my own cert using DNS validation–I’ve done that, in one form or another, on many systems. Automating renewals is similarly trivial–as long as your DNS host supports it (I like acme-dns for this purpose). What I’m not clear on is what, in a FreePBX context, needs to be done with this cert.
- Is there some kind of API call I can make to import the cert? I’d think this would be preferred; it would then show up in the Certificate Management page and be assigned to any services that would use it (which are…?)
- Or is it enough to just copy the cert to where Apache expects it to be and reload Apache? That’s obviously simple, but if the cert’s used for anything else, it wouldn’t do that.
Where all is the cert used, and what (if anything) can be done from the CLI to install a new cert?