Let's Encrypt, DNS challenge, and scripting?

I’m not sure I see the concern here. Any halfway decent ACME client supports putting the cert and key files wherever you want them, with whatever names you want, and also supports calling arbitrary commands after the fact to restart/reload your services (or do anything else that’s necessary at that point). This would appear to address your points 1 and 2. And unless there’s a strong reason I don’t know of to not directly edit the Apache config files (and if there is, I’d like to hear it), they can be edited to point directly to the cert files in /etc/asterisk/keys and Apache reloaded by the same facility in the client, so I don’t see the need to do anything with sysadmin.

Of course, the fact that I don’t see something doesn’t mean it doesn’t exist, and I’m a bit of a n00b with FreePBX–if I’m missing something, please let me know. The solution described up-thread seems to be working, but I guess the real test will come with renewal. I don’t see any reason it shouldn’t work, but computers have a way of surprising you…

1 Like

For completeness and if necessary, , adjust postfix’ main.cf

/etc/postfix/main.cf:smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
/etc/postfix/main.cf:smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key

and fop2’s /usr/local/fop2/fop2.cfg,

ssl_certificate_file=/etc/pki/tls/certs/localhost.crt
ssl_certificate_key_file=/etc/pki/tls/private/localhost.key

to point to the cert and key now in /etc/asterisk/keys/ and reload both services in the --renew-hook

if using sftp or something else that uses tls rinse and repeat for them

1 Like

Please, let’s all treat each other kindly here. (Think of “Bill and Ted’s Excellent Adventure”, and “be excellent to each other”.) There’s no reason to pick on each other or get overly defensive.

3 Likes

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.