Public and local certificate setup

Hi everyone,

Current PBX Version:
Current System Version: 12.7.4-1712-2.sng7
Current Asterisk Version: 13.18.5

I searched the forums and couldn’t seem to find a solution. I have a public wildcard cert (for… sanitized of course) installed that works fine for sRTP and TLS connections. I point to that cert from Advanced SIP settings / PJSIP.

However I need my UCP and FOP2 and admin pages to work over https on an internal domain address cert (… sanitized of course).

I installed the internal domain cert, and even made it “default” (which per documentation should “place a standard set of the certificate and it’s key into /etc/asterisk/keys/integration for use by other applications”). Yet visiting UCP, admin or FOP2 (pointing to the certs in /etc/asterisk/keys/integration) using says “invalid cert,”… so it is clearly using the wrong cert as default. Or maybe setting the Advanced SIP settings messes with this?

I tried:

  • Reinstalling local certificate
  • Making another cert “default” and then making the default again. (jog it)

Any ideas?

I also verified with: openssl x509 -text -noout -in /etc/asterisk/keys/integration/certificate.pem
that the correct “internal” certificate is being pushed to the “default” certificate used by UCP, etc. (as per “Settings / Advanced Settings / UCP NodeJS Server”)

My next thought was that the phone server is in different subnet than the computers requesting https, so FreePBX is treating the connection as “outside”, and thus giving the “external” cert… But I couldn’t find any way to specify this for apache (at least not in the gui)

Then I found “Admin / System Admin / HTTPS Setup” and found this was pointing to the external cert :roll_eyes: . What doesn’t make sense is that “Settings / Advanced Settings / UCP” and everything else in advanced settings points to /etc/asterisk/keys/integration/certificate.pem, which was verified as correct above… yet what I just found bypasses that entirely.

Maybe @tm1000 knows?

I wouldn’t doubt I’m misunderstanding the notes and documentation, but perhaps this can be an example for the dev’s on how their customer’s react to the notes. I would suggest simplifying this (even if only for the paid System Admin) and clearly pulling all cert management together in one place… "Use this cert for these services (SIP TLS, sRTP, UCP, wss, external apps like FOP2, https admin, https etc etc), and serve them on these ports, to these networks… Might be a bit of work, but it would sure make it simpler for users.

My 2 cents as a humble user.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.