FreePBX | Register | Issues | Wiki | Portal | Support

Letsencrypt certificates - two domains (pbx.example.com, pbx5.example.com)


(Dewey) #1

My FreePBX systems can be accessed by using one of two fully qualified domain names - for example pbx-example-com and pbx5-example-com. My phones register to pbx but when I am building or managing the servers I access it via pbx5. When it is time to build a new server I will build it as pbx6. When I am ready to transition to the new server I move the pbx name to point to pbx6.

I have no problems with getting the certificates using certbot.

First with:
sudo certbot --apache -d pbx7-example-com
(I am a new user, the “-” should be “.”)

And then when I have repointed pbx:
sudo certbot --apache -d pbx.example-com -d pbx7-example-com

I would like to be able to do this using the Certificate Manager in FreePBX but I can’t figure out how to get the Certificate Manager to generate a single certificate for both pbx and pbx5.

One driver in wanting to do this inside FreePBX and Certificate Manager is that I need to use WebRTC and I would prefer to use a single certificate for HTTPS and WebRTC.

I would appreciate any thoughts on how to accomplish the two names in a single certificate using FreePBX and Certificate Manager or any other ways of accomplishing this in a straight forward manner that will not involve manual intervention every time the certificates are renewed.

By the way, I am running FreePBX 16-15 on CentOS 7.

Thank you.


Yealink T4XG phones will not autoprovision over HTTPS with FreePBX 14
(Tom Ray) #2

I’m not sure what this means. Did you install the new Incredible PBX package?


(Dewey) #3

Yes, I installed Incredible PBX 16-15 with CentOS 7 (https://nerdvittles.com/?p=30236).


(Tom Ray) #4

OK, I actually gave him grief about this yesterday. No where in the documentation for this setup did I see a clear mention (or any mention) that FreePBX v15 is 100% BETA which means it still has issues and bugs. Most importantly, it’s not production ready.

However, in your case you are looking to do a multi-domain cert which FreePBX doesn’t support in the Certificate Manager. You’ll have to generate that by hand and follow Let’s Encrypt’s instructions for multi-domain cert generation.


(Dewey) #5

I am able to create a multi domain certificate using certbot:

sudo certbot --apache -d pbx.example-com -d pbx7-example-com

However, if I want to utilize the WebRTC phone in the User Control Panel, I can’t seem to figure out a better way than Certificate Manager > New Certificate > Upload Certificate and uploading the certbot certificate. I am able to enter the certificate I created using certbot, but I am concerned that I might need to repeat this process every 90 days.

I would guess there might be a more elegant solution using linux links or modifying Advanced Settings and Asterisk SIP Settings but I couldn’t seem to hit on a set of settings that worked.

This is not urgent for me to solve as it is a personal PBX, but it would be nice if I could get it working.

Thank you.


(Tom Ray) #6

Yes, because it’s Let’s Encrypt. It’s their model. You could just purchase one and deal with it yearly.


(Jared Busch) #7

Just use Certbot to make your own cert and then link to it?

https://wiki.freepbx.org/display/F2/Certificate+Management+User+Guide#CertificateManagementUserGuide-ImportLocally

Put a link in /etc/asterisk/keys to the LE generated cert and key. Click “Import Locally” in Cert Manager and you are done.

Edit to clarify: Certbot can then renew all it wants and all you will ever have to do is restart Apache. Which certbot can do with a post-hook.


(Jared Busch) #8

Also is there some weird reason to have two domain names set up? I mean, of course you can point as many FQDN to your PBX as you want, but why?

Edit: Reread your original post. You need valid certs because new system and you don’t want to interfere with the old, maybe?


(Dewey) #9

Thanks everyone for your inputs. I thought I would document what I have found out.

When I “Import Locally” after the following link command, no certificates are imported.

  • ln -s /etc/letsencrypt/live/pbx.example.com/privkey.pem /etc/asterisk/keys/pbx.key
  • ln -s /etc/letsencrypt/live/pbx.example.com/cert.pem /etc/asterisk/keys/pbx.crt

Linking to the letsencrypt files does not seem to work.

When I “Import Locally” after the following cat commands, the certificates is properly imported.

  • cat /etc/letsencrypt/live/pbx.example.com/privkey.pem > /etc/asterisk/keys/pbx.key
  • cat /etc/letsencrypt/live/pbx.example.com/cert.pem > /etc/asterisk/keys/pbx.crt

Copying the letsencrypt files does seem to work properly.

As a part of the Asterisk import process, the timestamp (but not the file contents) on both pbx.key and pbx.crt is updated.

In addition, as a part of the import process, a third file, pbx.pem is created. This file is a concatenation of pbx.key and pbx.crt, and an identical file can be created by the following commands.

  • cat /etc/letsencrypt/live/pbx.example.com/privkey.pem > /etc/asterisk/keys/pbx.pem
  • cat /etc/letsencrypt/live/pbx.example.com/cert.pem >> /etc/asterisk/keys/pbx.pem

In the directory /etc/asterisk/keys/integration:

  • webserver.key has the same contents as the default .key file in /etc/asterisk/keys
  • webserver.crt has the same contents as the default .crt file in /etc/asterisk/keys, and
  • certificate.pem has the same contents as the default .pem file in /etc/asterisk/keys

(Jared Busch) #10

No idea why import locally would not ingest a symlink. But if that is the case manually make the file as you did, then import. Then remake the file as a symlink. Apache doesn’t care.


#11

If you have a recent certbot, from the manual, there are arguments

–config-dir CONFIG
Configuration directory. (default: /etc/letsencrypt)


(Jared Busch) #12

Yup looks like you will have to work around FreePBX to get what you want. I just tested it out also.

Thankfully, certbot can do all the things for you. I would not change the config directory as @dicko references. Instead, I would leave it in the defualt location (easier to troubleshooot later).

First, generate the cert you want.
Second copy and rename the files.

cp /etc/letsencrypt/live/pbx.domain.com/fullchain.pem /etc/asterisk/keys/pbx.crt
cp /etc/letsencrypt/live/pbx.domain.com/privkey.pem /etc/asterisk/keys/pbx.key

Third import

fwconsole certificates --import

Fourth, list them and set it default if desired

fwconsole certififcates --list
fwconsole certififcates --default=X

This will get your cert setup and active for the GUI.
You can then go manage any other pieces such as SRTP and SIP TLS.

When it comes time to renew, you can make a simple script to redo the copy step and then instead of --import, run the --updateall option to have FreePBX regen the combine pem it uses. Then it can restart Apache.

You put the script, to handle the post renew work, in the LE cert’s conf file.
From a Digital Ocean guide: https://www.digitalocean.com/community/tutorials/how-to-use-certbot-standalone-mode-to-retrieve-let-s-encrypt-ssl-certificates-on-centos-7


(Jared Busch) #13

so @dwight you just helped me with something from a couple years ago now.

Since I had the demopbx.domain.com certbot certificate on my PBX, I made it active for apache and changed my desk phone and it worked… So i changed a few other phones and they all worked too.

So, I will now need to schedule taking my system down and actually implementing something like I just described so I can fully use TLS for all the things.


#14

Or perhaps

One time to set-up

ln -fs  /etc/letsencrypt/live/$(hostname -f)/privkey.pem  $(fwconsole setting CERTKEYLOC |sed 's/^.*\[\(.*\)\].*$/\1/')/$(hostname -f).key
ln -fs  /etc/letsencrypt/live/$(hostname -f)/fullchain.pem  $(fwconsole setting CERTKEYLOC |sed 's/^.*\[\(.*\)\].*$/\1/')/$(hostname -f).crt
fwconsole cert --import
fwconsole cert --default=$(fwconsole cert --list|grep $(hostname -f)|awk '{print $2}')

And if needed on new certs (probably a time waster as the certificates are symbolic links to symbolic links so the new certificates will be automatically correct)

fwconsole cert --updateall -q

That leaves your certbot files in a standard place but FreePBX will be happy (even if you use a nonstandard FreePBX place for whatever reason) for other service like fop2 etc. but gets asterisk into a state of happiness also.

A couple of caveats , I did not use the Distro to manage letsencrypt certs at any time just the distributed certbot and apache plugins (but the gooey seems happy with my work) and

hostname -f

properly returns your fqdn, so for the OP, if you have more than one fqdn then rinse and repeat but choose your default appropriately


(Jared Busch) #15

Going to test what you posted.

Question.
Since FreePBX generates its own pem file when you import, how do you handle the renew?

A post hook as mentioned in another post? Some other method?

Okay, tried this and things do not want to work right. What @dicko posted works but…

I am unable to assign the certificate to Apache in Sysadmin.
image

So I poked a bit. The linked files are there and the fwconsole command to import works.

You can see the new .pem file was created

So i deleted it from Certificate manager (it only deleted the pem file as it should)
image

Then tried to use the “Import Locally” button, and nope…

Edit:
I deleted all certs, but left the self signed CA itself.

image

I then imported the certbot cert.

image

Then I tried to make it default in the GUI and got this error.

So i did it from CLI and it worked.

image

But I am still unable to use the certificate for Apache, even though it is the only certificate.
image
image


(Jared Busch) #16

So my question to the Sangoma crew is what is going on with SysAdmin?

One would assume that it should be looking at the pem file created by the import process since that contains the key and the certs.

OpenSSL has no complaints about the file.

Looking at the inspect element shows the call on the drop down is this.
image

Since this is a closed source, commercial module, I have no way to check into it.


(Dave Burgess) #17

<Pedantic mode>
Those are not two domains - it is one domain with two host names. Either way, if you aren’t using a “wildcard” cert, the hostnames must match the server they are servicing. If your host has two hostnames, both need certs unless you are using wildcards.
</Pedantic mode>

Sorry, that’s been bugging me ever since the thread started.


(Jared Busch) #18

And to expand on that point, you can easily use a single cert with the SAN containing the other FQDN.

Maybe I should have split my recent replies to a new thread. They are not directly related, other than getting the mechanism of “standard Certbot” to work.


(Dewey) #19

Dave,

You are correct that in the posted example I wasn’t using two different domains, but rather two fully qualified domain names.

However, certbot will make a single non wildcard certificate for multiple FQDNs that could be in multiple different domains.

sudo certbot --apache -d pbx.example.com -d pbx7.adifferentexample.org


(Dewey) #20

Jared,

What is a SAN?