to your service to let the connection proceed if given a valid cert and key
if you are proxying https through haproxy with strict sni, as previously discussed then let haproxy provide the tls certifications for all proxied services and know that connections to the IP on any port will be curtly dropped, only the url will work (which must be properly set internally)
from the internet , your port 80 replies
curl -s http://nollivoipserver.nollicomm.net/|html2text ****** nollivoipserver.nollicomm.net ****** ***** This Domain is Under Construction *****
Please Check Back Later
[Powered_by_Misk.com]
I wouldn’t recommend the use of wildcard certs for TLS transport for voip in general and specifically, using a wildcard cert with haproxy kinda defeats the purpose of ‘strict SNI’ protection.
Well, Dicko, you seem unto something and I have to say it’s flying over my head. When I do an openssl s_client -connect nollivoipserver.nollicomm.net:443, I get:
verify error:num=21:unable to verify the first certificate
Not sure how to address this error…I am searching as I type.
The internet nor your intranet cannot be convinced that your server is a FreePBX box behind a pfsense box because it is not seen that way, it resolves to a place holder at Amazon
Whatever is serving certs at nollivoipserver.nollicomm.net:443 is not doing so, it would need to agree on an exchange of info with cloudflare using your full and proper domain name against your cloudflare wildcard *nollicomm.net cert to do so
I think I understand what you’re saying but is highly confused on how to go about how to make the exchange of info with Cloudflare agree. I have been doing DNS query all day and have been getting the same as the A record which I purposely tied so as to not have the very problems I am having…not wanting nollivoipserver.nollicomm.net resolves. Just dealing the Cloudflare was a headache.
I thought the reason for the “verify error:num=21:unable to verify the first certificate” is that I needed to include the CA into FreePBX but could not find where to do that. And, just for the hell of it, I ran:
I would need to buy their hosting package and that is defeating the original intent of the FreePBX plan…that’s the only way to edit the A record or a Cname. They had said this when I asked about the DNS-NSupdate. So, I thought at Cloudflare, where it seems that it imported the TXT file, I was actually adding to it
I outlined my basically quite simple personal solution more than once which WFM , with your alternate pfsense, internally certifying sites, haproxy (or not) and cloudflare’s SNI , ‘no public access’ rat’s nested non-solution is obviously widely divergent with my thinking, I can but say 'Vaya con Dios", maybe wait for the the guys at pfsense ?
but feel free to check back later after fixing
curl -s http://nollivoipserver.nollicomm.net/|html2text
****** nollivoipserver.nollicomm.net ******
***** This Domain is Under Construction *****
Please Check Back Later
[Powered_by_Misk.com]
Based on what you’re saying about the certificate, wouldn’t I face the same exact had I got the certificate via FreePBX? I need to get a hosting package from Misk…just registering the domain won’t complete the plan.
FreePBX does not issue certificates and cannot do so, but IMHO the acme client that is embedded to do that is largely broken and badly needs replacing.
So I only speak to another way of doing something which can be quite trivial, in this case I was wrong, good luck though.
Given a smidgen of linux knowledge then that would first be a “what certificate issues did you experience when deploying it” other wise "yes but please RTFGHM (all of it to get the most out of it ) "
Actually, I have no clue…this all new to me as I am a Mac person and rarely use CLI. I am somewhat familiar with Linux, having a Mikrotik router but far from being an expert. So, I bookmarked Neil’s page and will reevaluate all this over a two weeks period to engage whether this all worth the time. I need to catch up on other projects.
Chalk and cheese, Mikrotik isn’t Linux it is RouterOS, which at an ssh login would look much like any MacOS console login ( which is based on OpenBSD) all the above do have a common heritage in UNIX though.
Well, I found the problem and it was my fault. I forgot to paste the CA into FreePBX, sending me on a wild goose chase diagnosing while other work projects got neglected; so a few days until fix.