When my LE certificate had expired in January, I posted a comment on a now-closed topic where the op was reporting a problem with requesting LE certificates. I replied to say that ‘fwconsole cert --updateall --force’ succeeded as a workaround for me. Today, I received an LE email notification indicating the certificate for a FreePBX system I manage would expire in about 20 days. If native FreePBX LE renewal were working as expected, I don’t think I should receive such a notification. So after reading various posts here, I decided to use the official acme.sh script along with DNS API integration for LE certs. Thank you to others who have suggested this. You know who you are.
In case it is helpful to others, here is how I went about it. You will need to adjust certain steps for your requirements. I include a prompt character (#) in my example commands.
- Installed acme.sh:
# curl https://get.acme.sh | sh -s [email protected]
-
Signed on NameSilo and enabled/generated API key and saved key in my trusty password manager. This will obviously be different for many of you. See the acme.sh DNS API doc.
-
Edited ~/.acme.sh/acme.sh.env, adding the line:
export Namesilo_Key="MY_NameSilo_API_KEY"
- Closed (exited) my SSH session and signed on again, to reload bash. This would work too:
# source ~/.acme.sh/acme.sh.env
- Listed and removed all certificates from FreePBX:
# fwconsole certificate --list
# fwconsole certificate --delete 0
# fwconsole certificate --delete 0
I had a “default” self-signed certificate and an LE certificate, so repeated the command to delete both certificates. After deleting the first (“default”) certificate with ID 0, the remaining certificate was assigned ID 0.
- Backed up (just in case) and deleted contents of /etc/asterisk/keys:
# cp -r /etc/asterisk/keys ~/asteriskKeys.bak
# rm -rf /etc/asterisk/keys/*
Be cautious with the rm command! You can seriously fubar your system. Dropping the ‘f’ option is safer and will prompt you to confirm deletion of each file.
- Submitted LE certificate request:
# acme.sh --issue --dns dns_namesilo -d primary.name.tld -d secondary.name.tld
I have 2 DNS A records for this FreePBX system, and want to include both FQDNs in the certificate. secondary.name.tld is included in the SAN (subject alternative name) field. After 10 minutes or so of the script doing some DNS “magic” and checking DNS records every 10 seconds, I had a new certificate. The DNS API doc suggests including --dnssleep 900
in the command for NameSilo. In hindsight, it would have been wise to include that.
- Installed issued certificate and imported to FreePBX:
# acme.sh -i -d primary.name.tld -d secondary.name.tld --cert-file /etc/asterisk/keys/$(hostname -f).crt --key-file /etc/asterisk/keys/$(hostname -f).key --fullchain-file /etc/asterisk/keys/$(hostname -f).pem --renew-hook 'systemctl reload httpd.service'
# systemctl reload httpd.service
# fwconsole certificate --import
- Set imported certificate as default and disabled responsive LE rules:
# fwconsole certificate --default 0
# fwconsole firewall lerules disable
- Confirmed acme.sh renewal cron job was created:
# crontab -l
- Dumped (displayed) config info for the cert:
# acme.sh --info -d primary.name.tld
I noticed that Le_RenewHook was unexpectedly set to a null string, so I edited ~/.acme.sh/primary.name.tld_ecc/primary.name.tld.conf and manually set Le_RenewHook:
Le_RenewHook='__ACME_BASE64__START_c3lzdGVtY3RsIHJlbG9hZCBodHRwZC5zZXJ2aWNlCg==__ACME_BASE64__END_'
c3lzdGVtY3RsIHJlbG9hZCBodHRwZC5zZXJ2aWNlCg== is base64-encoded: systemctl reload httpd.service
. The acme.sh --info command will show the human-readable/unencoded string. You can use the base64
command (base64 -d
to decode) to base64 encode a command string. For example:
# echo 'systemctl reload httpd.service' | base64
So…I’m not sure if LE certificate auto-renewal as currently configured (LE_RenewHook, in particular) will work as expected. A recent (January 2024) comment on an acme.sh issue (GitHub) indicates that deploy hooks aren’t working for the commenter, specifically for ECC certificates. Switching to RSA certificates worked for the commenter. If moderators leave this post open that long, I will try to remember to post an update with results and adjustments if required, for the next LE certificate renewal.