Letsencrypt certificates - two domains (pbx.example.com, pbx5.example.com)

Just use Certbot to make your own cert and then link to it?

https://wiki.freepbx.org/display/F2/Certificate+Management+User+Guide#CertificateManagementUserGuide-ImportLocally

Put a link in /etc/asterisk/keys to the LE generated cert and key. Click “Import Locally” in Cert Manager and you are done.

Edit to clarify: Certbot can then renew all it wants and all you will ever have to do is restart Apache. Which certbot can do with a post-hook.

Also is there some weird reason to have two domain names set up? I mean, of course you can point as many FQDN to your PBX as you want, but why?

Edit: Reread your original post. You need valid certs because new system and you don’t want to interfere with the old, maybe?

Thanks everyone for your inputs. I thought I would document what I have found out.

When I “Import Locally” after the following link command, no certificates are imported.

  • ln -s /etc/letsencrypt/live/pbx.example.com/privkey.pem /etc/asterisk/keys/pbx.key
  • ln -s /etc/letsencrypt/live/pbx.example.com/cert.pem /etc/asterisk/keys/pbx.crt

Linking to the letsencrypt files does not seem to work.

When I “Import Locally” after the following cat commands, the certificates is properly imported.

  • cat /etc/letsencrypt/live/pbx.example.com/privkey.pem > /etc/asterisk/keys/pbx.key
  • cat /etc/letsencrypt/live/pbx.example.com/cert.pem > /etc/asterisk/keys/pbx.crt

Copying the letsencrypt files does seem to work properly.

As a part of the Asterisk import process, the timestamp (but not the file contents) on both pbx.key and pbx.crt is updated.

In addition, as a part of the import process, a third file, pbx.pem is created. This file is a concatenation of pbx.key and pbx.crt, and an identical file can be created by the following commands.

  • cat /etc/letsencrypt/live/pbx.example.com/privkey.pem > /etc/asterisk/keys/pbx.pem
  • cat /etc/letsencrypt/live/pbx.example.com/cert.pem >> /etc/asterisk/keys/pbx.pem

In the directory /etc/asterisk/keys/integration:

  • webserver.key has the same contents as the default .key file in /etc/asterisk/keys
  • webserver.crt has the same contents as the default .crt file in /etc/asterisk/keys, and
  • certificate.pem has the same contents as the default .pem file in /etc/asterisk/keys

No idea why import locally would not ingest a symlink. But if that is the case manually make the file as you did, then import. Then remake the file as a symlink. Apache doesn’t care.

If you have a recent certbot, from the manual, there are arguments

–config-dir CONFIG
Configuration directory. (default: /etc/letsencrypt)

Yup looks like you will have to work around FreePBX to get what you want. I just tested it out also.

Thankfully, certbot can do all the things for you. I would not change the config directory as @dicko references. Instead, I would leave it in the defualt location (easier to troubleshooot later).

First, generate the cert you want.
Second copy and rename the files.

cp /etc/letsencrypt/live/pbx.domain.com/fullchain.pem /etc/asterisk/keys/pbx.crt
cp /etc/letsencrypt/live/pbx.domain.com/privkey.pem /etc/asterisk/keys/pbx.key

Third import

fwconsole certificates --import

Fourth, list them and set it default if desired

fwconsole certififcates --list
fwconsole certififcates --default=X

This will get your cert setup and active for the GUI.
You can then go manage any other pieces such as SRTP and SIP TLS.

When it comes time to renew, you can make a simple script to redo the copy step and then instead of --import, run the --updateall option to have FreePBX regen the combine pem it uses. Then it can restart Apache.

You put the script, to handle the post renew work, in the LE cert’s conf file.
From a Digital Ocean guide: https://www.digitalocean.com/community/tutorials/how-to-use-certbot-standalone-mode-to-retrieve-let-s-encrypt-ssl-certificates-on-centos-7

so @dwight you just helped me with something from a couple years ago now.

Since I had the demopbx.domain.com certbot certificate on my PBX, I made it active for apache and changed my desk phone and it worked… So i changed a few other phones and they all worked too.

So, I will now need to schedule taking my system down and actually implementing something like I just described so I can fully use TLS for all the things.

Or perhaps

One time to set-up

ln -fs  /etc/letsencrypt/live/$(hostname -f)/privkey.pem  $(fwconsole setting CERTKEYLOC |sed 's/^.*\[\(.*\)\].*$/\1/')/$(hostname -f).key
ln -fs  /etc/letsencrypt/live/$(hostname -f)/fullchain.pem  $(fwconsole setting CERTKEYLOC |sed 's/^.*\[\(.*\)\].*$/\1/')/$(hostname -f).crt
fwconsole cert --import
fwconsole cert --default=$(fwconsole cert --list|grep $(hostname -f)|awk '{print $2}')

And if needed on new certs (probably a time waster as the certificates are symbolic links to symbolic links so the new certificates will be automatically correct)

fwconsole cert --updateall -q

That leaves your certbot files in a standard place but FreePBX will be happy (even if you use a nonstandard FreePBX place for whatever reason) for other service like fop2 etc. but gets asterisk into a state of happiness also.

A couple of caveats , I did not use the Distro to manage letsencrypt certs at any time just the distributed certbot and apache plugins (but the gooey seems happy with my work) and

hostname -f

properly returns your fqdn, so for the OP, if you have more than one fqdn then rinse and repeat but choose your default appropriately

Going to test what you posted.

Question.
Since FreePBX generates its own pem file when you import, how do you handle the renew?

A post hook as mentioned in another post? Some other method?

Okay, tried this and things do not want to work right. What @dicko posted works but…

I am unable to assign the certificate to Apache in Sysadmin.
image

So I poked a bit. The linked files are there and the fwconsole command to import works.

You can see the new .pem file was created

So i deleted it from Certificate manager (it only deleted the pem file as it should)
image

Then tried to use the “Import Locally” button, and nope…

Edit:
I deleted all certs, but left the self signed CA itself.

image

I then imported the certbot cert.

image

Then I tried to make it default in the GUI and got this error.

So i did it from CLI and it worked.

image

But I am still unable to use the certificate for Apache, even though it is the only certificate.
image
image

So my question to the Sangoma crew is what is going on with SysAdmin?

One would assume that it should be looking at the pem file created by the import process since that contains the key and the certs.

OpenSSL has no complaints about the file.

Looking at the inspect element shows the call on the drop down is this.
image

Since this is a closed source, commercial module, I have no way to check into it.

<Pedantic mode>
Those are not two domains - it is one domain with two host names. Either way, if you aren’t using a “wildcard” cert, the hostnames must match the server they are servicing. If your host has two hostnames, both need certs unless you are using wildcards.
</Pedantic mode>

Sorry, that’s been bugging me ever since the thread started.

1 Like

And to expand on that point, you can easily use a single cert with the SAN containing the other FQDN.

Maybe I should have split my recent replies to a new thread. They are not directly related, other than getting the mechanism of “standard Certbot” to work.

Dave,

You are correct that in the posted example I wasn’t using two different domains, but rather two fully qualified domain names.

However, certbot will make a single non wildcard certificate for multiple FQDNs that could be in multiple different domains.

sudo certbot --apache -d pbx.example.com -d pbx7.adifferentexample.org

Jared,

What is a SAN?

so both fwconsole and the GUI use the same function of importLocalCertificates. But the GUI does not work while the fwconsole does.

But the GUI says nothing found.
GUI call:

fwconsole call

Subject Alternative Name.

A certificate can only have one certificate name. All additional names are SAN.

Certbot uses the first domain listed in your --domains (-d) as the certificate name and as the file name. then all other FQDN are SAN.

Jared,

Thank you for the explanation. I did not realize that certificates can only have one name and the additional names were SANs.

Clicking on the button to set default sort of works. even with that error by the way, because the SQL updates are all before the error handling.

Here is the logic on that error.

So, the only thing I could do to make things work with the local import, and be usable to the rest of the system, was to actually copy the LE generated files to /etc/asterisk/keys.

So I will look at testing the hooks built into certbot to copy the files after completion.

I don’t know what CertManager is failing to do on the import. I mean it is seems that something in the getCertificateDetails (or it’s child process) is doing something that results in cert detail variables not being populated.

But the certbot generated cert works for everything while the CertManager generated LE cert does not.

I tried to wade through the lescript code but got lost.
https://git.freepbx.org/projects/FREEPBX/repos/certman/browse/vendor/analogic/lescript

The original source has not been updated since 2016. The 2017 commit was only removing a hardocded ToS link.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.