I’ve tried the port configuration shown below in the systadmin module. After using my router to NAT Publicly facing port 80 to port 8080 of my PBX box, LetsEncrypt certificate cannot be obtained.
I reviewed the schmoozecom.conf apache config file and it seems like the sysadmin module doesn’t include the aliases for /.well-known and /.free-pbx directives in the virtual host for the port I selected (8080).
# Automatically Generated File - 1643858591
# {"acp":{"port":"80","dir":"\/var\/www\/html"},"ucp":{"port":"disabled","dir":"\/var\/www\/html\/ucp\/"},"restapi":{"port":"disabled","dir":"\/var\/www\/html\/admin\/api\/"},"restapps":{"port":"82","dir":"\/var\/www\/html\/restapps\/"},"hpro":{"port":"84","dir":"\/tftpboot\/"},"leport":{"port":"8080","dir":"\/invalid\/folder\/name"}}
# Do NOT edit this file as it is auto-generated
# Starting acp
# acp
Listen 80
<VirtualHost *:80>
Alias /.well-known /var/www/html/.well-known
Alias /.freepbx-known /var/www/html/.freepbx-known
RewriteEngine on
RewriteRule ^/\.(well-known|freepbx-known)/ - [H=text/plain,L]
RewriteRule (^\.|/\.) - [F]
DocumentRoot /var/www/html
</VirtualHost>
# Starting ucp
# Skipping ucp as it is disabled
# Starting restapi
<DirectoryMatch "^/var/www/html/admin/api/api.php">
AllowOverride None
<IfModule mod_authz_core.c>
<FilesMatch "^api.php$">
Require all granted
</FilesMatch>
Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
<FilesMatch "^api.php$">
Allow from all
</FilesMatch>
Deny from all
</IfModule>
</DirectoryMatch>
<Directory "/var/www/html/admin/api">
DirectoryIndex api.php
</Directory>
# Skipping restapi as it is disabled
# Starting restapps
<DirectoryMatch "^/var/www/html/restapps/(applications\.php|image\.php|restapps\.php|sync\.php|.+\.zip)">
AllowOverride None
<IfModule mod_authz_core.c>
<FilesMatch "^(applications\.php|image\.php|restapps\.php|sync\.php|.+\.zip)$">
Require all granted
</FilesMatch>
Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
<FilesMatch "^(applications\.php|image\.php|restapps\.php|sync\.php|.+\.zip)$">
Allow from all
</FilesMatch>
Deny from all
</IfModule>
</DirectoryMatch>
<Directory "/var/www/html/restapps">
DirectoryIndex applications.php
</Directory>
# restapps
Listen 82
<VirtualHost *:82>
RewriteEngine on
RewriteRule (^\.|/\.) - [F]
DocumentRoot /var/www/html/restapps/
</VirtualHost>
# Starting hpro
<Directory /tftpboot/>
AllowOverride None
<IfModule mod_authz_core.c>
<FilesMatch "(^\.|.php$)">
Require all denied
</FilesMatch>
Require all granted
</IfModule>
<IfModule !mod_authz_core.c>
<FilesMatch "(^\.|.php$)">
Deny from all
</FilesMatch>
Allow from all
</IfModule>
</Directory>
# hpro
Listen 84
<VirtualHost *:84>
RewriteEngine on
RewriteRule (^\.|/\.) - [F]
DocumentRoot /tftpboot/
</VirtualHost>
# Starting leport
# Warning - The directory '/invalid/folder/name' doesn't exist
# leport
Listen 8080
<VirtualHost *:8080>
RewriteEngine on
RewriteRule (^\.|/\.) - [F]
DocumentRoot /invalid/folder/name
</VirtualHost>
Did anyone succeed in making this work?
I’m running Sysadmin module 15.0.21.99 and Certificate manager 15.0.48.
From what I remember, the LE verification config for apache ports should only have enable 80 and disable options. I don’t recall there ever being an option to define a custom port for LE, I think this is a bug.
I’d rather have it fixed by getting the custom port number feature working. That way I can keep using port 80 for management internally (not exposed to internet) and have port 8080 used only for LetsEncrypt renewal which is exposed externally as port 80 by my router…
I understand LetsEncrypt requires checks to be done on port 80 but I would like to keep using a different port because we use port 80 on our LAN for Asternic and FreePBX GUI.
From past bad experiences with FreePBX GUI exposed online, I really don’t want this to be accessible from the internet.
Using a custom port that only allows LE Challenges is very appealing from an attack surface point of view as it’s the only thing I want to expose online (i terms of HTTP traffic).
Reading the bug report, I take it you don’t intend on making it possible to have a configuration where FreePBX is behind NAT and a custom port number is used internally?
[quote=“Vincent2000, post:7, topic:81051”]
I take it you don’t intend on making it possible to have a configuration where … a custom [LE] port number is used [/quote]
No. But you could create your own conf file in /etc/httpd/conf.d/ with port 8080 set up the way you want.
Depending on a few things there is another solution. LetsEncrypt and other ‘Cert issuers’ support DNS-01 challenges which needs no ports opened at all, unfortunately the Acme client that FreePBX chose only supports HTTP-01 challenges. There are recipes and suggestions for replacing it scattered around these fora though.
(Most believe that DNS-01 is far more secure than HTTP-01 for ‘challenge/response’)
@Vincent2000, as @dicko says, there are other ways to utilize LetsEncrypt. However, the GUI implementation is, of course, the most convenient. Here is a quick and dirty guide to Generating Certificate using LetsEncrypt Certbot installed via SNAP, this worked with the FreePBX Distro last time I tested it, but that has been a few months ago.
Perhaps ‘most convenient’ but also perhaps ‘not very good’ for many reasons, hence all the ‘work-arounds’. Most modern acme clients have ‘deployments scripts’ that can easily put the cert and key into your /etc/asterisk/keys/ quite adequately, and then use fwconsole certificates . . . to easily deploy them
