SSL cert automation (outside of LetsEncrypt)


((((GRIFFCOMM) #1

Hi

The PBX is located behind a firewall and port 80 and 443 are in use, this means Lets Encrypt wont work on this box, however i need items like ZULU which needs a certificate. I can get certificates, so whats the best way to automate saving the external certificate in to the box?

Most are valid for 60-90 days and i dont want to be uploading a cert every 60 days. Assuming there’s no module i can load, the other way would be the exposé the cert path through a share so i can copy the new PEM and CRT file in OR a scrit inside freePBX that runs to collect the certificate PEM and CRT files…

Any ideas?
Many Thanks


#2

If you have a covered nameservice or are prepared to move to one, I suggest dns-01 over http-01, no ports needed , le can do it but this one covers more services

It also has hook-scripts for all sorts of services not just web-servers


(Dan) #3

This topic has some ideas about how to automate the process:
https://community.freepbx.org/t/lets-encrypt-dns-challenge-and-scripting/65903

And completely agree with @dicko that DNS validation is the way to go if you can make it work. Cloudflare DNS is free and works well.


#4

Not so for the Free tld’s at CF


#5

??? Not sure what you mean here.


(Lorne Gaetz) #6

These two conditions alone do not prevent you from using LE certs with auto renewal. This is an extremely common setup.


#7

Apparently CloudFlare’s API for ‘free’ TopLevelDomains accounts cant be scripted to issue a certificate. I just posted Mr. Pangs tske, i don’t have CF anymore.


#8

Not true, unless I’m grandfathered in, but one account isn’t that old, so it would have to be a recent change.


#9

Yes, it worked for me too before I moved everything to DO where DNS is comprehensive , fully scriptable with doctl and free , even for non DO hosted hosts…

I merely posted Mr. Pang’s notes on DNS services


#10

Easy way to test acme.sh dns auth without moving your current dns hosting is to use duckdns.org.

Assumptions: Your current DNS provider does not support API access, and you want to use dns-01 auth to generate a cert for your.pbx.fqdn.

Ultimately you need to move to a provider with an API, but this is a way to test and should get past the blank page syndrome.

1: Install acme.sh: curl https://get.acme.sh | sh -s email=my@example.com

2: Log out and back into your current shell. Needed to pick up the changes from installing acme.sh

3: Login to https://duckdns.org with your preferred method.

4: Copy your duckdns token somewhere:
image

5: Create a domain:
image

6:duckdns should now look like:
image

7: Log into your current dns provider’s management page and create a CNAME record for _acme-challenge.<your.pbx.fqdn>and point to your newly created duckdns domain(ie:jerrm-test.duckdns.org).

8: Run acme.sh using dnsalias mode, we have to export our duckdns token into the environment:

# USE THE TOKEN FROM STEP 4 ABOVE
export DuckDNS_Token="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
acme.sh -d <your.pbx.fqdn> --challenge-alias <yourduckdnsdomain.duckdns.org> --dns dns_duckdns --issue

((((GRIFFCOMM) #11

Thinks this (using DNS) should be an option in the LetsEncrypt for Admin Pro


((((GRIFFCOMM) #12

Please explain how to use LE when both port 80 and 443 cant be accessed on the PBX (when the whole PC cant be accessed from outside), Admin Pro says LE has to be port 80…

Please advise


#13

Dns-01 is not a partucularly easy option to script, either you have to manually put the txt record in your DNS server or use one of the 130 and growing supported ones over the various acme clients that do dns-01, but each one uses a different method though.

For http-01, you will have to preempt port 80 and allow the world for the brief time the acme client verifies the url. or have a redirection particular to the ‘well-known’ request on whatever is serving port 80


#14

If I get off my a** and finish it up, there will be at least a 3rd party version of certman that will support dns-01 auth.

I have an acme.sh backed version of certman with working dns-01 and http-01

The time consuming work is in simplifying the options and GUI presentation enough to keep from overwhelming those that aren’t network geeks without giving up too much functionality.

Of course, the fact that I am not a PHP guy, and it’s currently a “tinkering” project may have something to do with the speed or lack thereof.


((((GRIFFCOMM) #15

As i was writing the message i thought the DNS had to be dynamically updated as well, going to submit a feature request about this, as its problematic if items like ZULU wants to be used with no outside access to port 80 and 443, there’s no way to automate the SSL process without hacking up the system somehow.


#16

There’s already a two year+ ticket open. @xrobau had actually done an initial (very incomplete/not functional) commit.

I started with that, but ultimately went in a slightly different direction. It will be interesting to see if it gets torn apart.

Even when(if) I get to the point of submitting a PR (and I won’t until I think it’s production ready), I would be hesitant to merge if I were in Sangoma’s shoes. It’s a support problem with the all the additional factors it adds that are outside Sangoma’s control - acme.sh itself, the various plugins, varying dns providers and APIs, etc.


#17

Letsencrypt HTTP-01 needs to dynamically update whatever is responding on port 80 at the URL you are trying to issue a certificate for. whereas DNS-01 needs to dynamically update your DNS records, So HTTP-01 needs access to your server whereas DNS-01 needs no access over any port to your server.

Perhaps we can ask what name service are you currently using? you can use

dig +short ns your.domain.com


((((GRIFFCOMM) #18

Ive seen a few of the scripts…

Ive also requested an automated process to “import” a key and crt file, i have those, can get them in to the correct location (/etc/asterisk/keys i think the folder is), however it still needs manual work to then make them live in the system, if that can be automated that would work as well.


(Lorne Gaetz) #19
fwconsole certificates --help

there a bunch of CLI options to manage certs


#20

from acme.sh --help

These parameters are to install the cert to nginx/apache or any other server after issue/renew a cert:                              
                                                                                                                                      
  --cert-file <file>                Path to copy the cert file to after issue/renew..                                                 
  --key-file <file>                 Path to copy the key file to after issue/renew.                                                   
  --ca-file <file>                  Path to copy the intermediate cert file to after issue/renew.                                     
  --fullchain-file <file>           Path to copy the fullchain cert file to after issue/renew.                                        
  --reloadcmd <command>             Command to execute after issue/renew to reload the server.   

set the --cert-file and key-file to /etc/asterisk/keys/your.domain.(crt and key)

–reloadcmd ‘fwconsole certificates --updateall;systemctl httpd reload’

That will work for DNS-01 or HTTP-01 and be fully automated by acme.sh’s cron job

(you will have to fwconsole certificates import;fwconsole certificates --set-default=X after the first time you use acme.sh to issue a certificate and make sure your webserver is using the cert and key in /etc/asterisk/keys)