Copying the letsencrypt files does seem to work properly.
As a part of the Asterisk import process, the timestamp (but not the file contents) on both pbx.key and pbx.crt is updated.
In addition, as a part of the import process, a third file, pbx.pem is created. This file is a concatenation of pbx.key and pbx.crt, and an identical file can be created by the following commands.
No idea why import locally would not ingest a symlink. But if that is the case manually make the file as you did, then import. Then remake the file as a symlink. Apache doesn’t care.
Yup looks like you will have to work around FreePBX to get what you want. I just tested it out also.
Thankfully, certbot can do all the things for you. I would not change the config directory as @dicko references. Instead, I would leave it in the defualt location (easier to troubleshooot later).
First, generate the cert you want.
Second copy and rename the files.
This will get your cert setup and active for the GUI.
You can then go manage any other pieces such as SRTP and SIP TLS.
When it comes time to renew, you can make a simple script to redo the copy step and then instead of --import, run the --updateall option to have FreePBX regen the combine pem it uses. Then it can restart Apache.
so @dwight you just helped me with something from a couple years ago now.
Since I had the demopbx.domain.com certbot certificate on my PBX, I made it active for apache and changed my desk phone and it worked… So i changed a few other phones and they all worked too.
So, I will now need to schedule taking my system down and actually implementing something like I just described so I can fully use TLS for all the things.
And if needed on new certs (probably a time waster as the certificates are symbolic links to symbolic links so the new certificates will be automatically correct)
fwconsole cert --updateall -q
That leaves your certbot files in a standard place but FreePBX will be happy (even if you use a nonstandard FreePBX place for whatever reason) for other service like fop2 etc. but gets asterisk into a state of happiness also.
A couple of caveats , I did not use the Distro to manage letsencrypt certs at any time just the distributed certbot and apache plugins (but the gooey seems happy with my work) and
hostname -f
properly returns your fqdn, so for the OP, if you have more than one fqdn then rinse and repeat but choose your default appropriately
<Pedantic mode>
Those are not two domains - it is one domain with two host names. Either way, if you aren’t using a “wildcard” cert, the hostnames must match the server they are servicing. If your host has two hostnames, both need certs unless you are using wildcards. </Pedantic mode>
Sorry, that’s been bugging me ever since the thread started.
And to expand on that point, you can easily use a single cert with the SAN containing the other FQDN.
Maybe I should have split my recent replies to a new thread. They are not directly related, other than getting the mechanism of “standard Certbot” to work.
So, the only thing I could do to make things work with the local import, and be usable to the rest of the system, was to actually copy the LE generated files to /etc/asterisk/keys.
So I will look at testing the hooks built into certbot to copy the files after completion.
I don’t know what CertManager is failing to do on the import. I mean it is seems that something in the getCertificateDetails (or it’s child process) is doing something that results in cert detail variables not being populated.
But the certbot generated cert works for everything while the CertManager generated LE cert does not.