I am trying to setup the Desktop Client for our Receptionists. They are only internal to the network and I will never have anyone from the outside using it.
After buying the licenses and install the module, I get this error
I then got to the Certificate Management pages and do a New Certificate, Generate Lets Encrypt Certificate, fill out the info and it comes back with the following error
The name spr-pbx.benjaminsteel.com is setup on our internal DNS but is not on the external. And I don’t want to open port 80 to our phone system from the internet. All of our remote phones use OpenVPN to connect and only port 1194 is open coming in for them to build a VPN from their phone.
It there a way to make this work with a self signed cert. Or just on http. Or am I going to just have to buy a cert for it and put it in?
You shouldn’t be able to buy a certificate which will be trusted by anything, as the issuer has to be certain that you are the only organisation permitted to use the subject name you are requesting.
Your main option is to create your own CA, which will probably have to be a root CA, so will have a self signed certificate, and use that to sign the certificate for your server, and install the CA certificate on your phones. Although people refer to this as self signed, I prefer to call it a corporate CA. There is always a self signed certificate involved with every CA, although it may be at a higher level than the CA certificate, e.g currently it is ISRG Root X2, for Let’s Encrypt.
Actually, you could probably create public DNS records for and use the DNS method of proving ownership, to get a Let’s Encrypt one.
Technically, it is possible to have a certificate that is a root certificate, and is used as the actual one for the server, but that wouldn’t be good practice. and the tools provided with Asterisk don’t do this.
If you have strong security requirement, I would suggest you should already have a corporate CA, and should also go through all your SSL clients, and disable all the CAs that you don’t fully trust. That would mean disabling ones that in are parts of the world where the government might interfere, and ones where the procedures for validating the domain ownership are too weak.
and use the DNS method of proving ownership, to get a Let’s Encrypt one.