The PBX is located behind a firewall and port 80 and 443 are in use, this means Lets Encrypt wont work on this box, however i need items like ZULU which needs a certificate. I can get certificates, so whats the best way to automate saving the external certificate in to the box?
Most are valid for 60-90 days and i dont want to be uploading a cert every 60 days. Assuming there’s no module i can load, the other way would be the exposé the cert path through a share so i can copy the new PEM and CRT file in OR a scrit inside freePBX that runs to collect the certificate PEM and CRT files…
If you have a covered nameservice or are prepared to move to one, I suggest dns-01 over http-01, no ports needed , le can do it but this one covers more services
It also has hook-scripts for all sorts of services not just web-servers
Apparently CloudFlare’s API for ‘free’ TopLevelDomains accounts cant be scripted to issue a certificate. I just posted Mr. Pangs tske, i don’t have CF anymore.
Yes, it worked for me too before I moved everything to DO where DNS is comprehensive , fully scriptable with doctl and free , even for non DO hosted hosts…
7: Log into your current dns provider’s management page and create a CNAME record for _acme-challenge.<your.pbx.fqdn>and point to your newly created duckdns domain(ie:jerrm-test.duckdns.org).
8: Run acme.sh using dnsalias mode, we have to export our duckdns token into the environment:
# USE THE TOKEN FROM STEP 4 ABOVE
export DuckDNS_Token="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
acme.sh -d <your.pbx.fqdn> --challenge-alias <yourduckdnsdomain.duckdns.org> --dns dns_duckdns --issue
Please explain how to use LE when both port 80 and 443 cant be accessed on the PBX (when the whole PC cant be accessed from outside), Admin Pro says LE has to be port 80…
Dns-01 is not a partucularly easy option to script, either you have to manually put the txt record in your DNS server or use one of the 130 and growing supported ones over the various acme clients that do dns-01, but each one uses a different method though.
For http-01, you will have to preempt port 80 and allow the world for the brief time the acme client verifies the url. or have a redirection particular to the ‘well-known’ request on whatever is serving port 80
If I get off my a** and finish it up, there will be at least a 3rd party version of certman that will support dns-01 auth.
I have an acme.sh backed version of certman with working dns-01 and http-01
The time consuming work is in simplifying the options and GUI presentation enough to keep from overwhelming those that aren’t network geeks without giving up too much functionality.
Of course, the fact that I am not a PHP guy, and it’s currently a “tinkering” project may have something to do with the speed or lack thereof.
As i was writing the message i thought the DNS had to be dynamically updated as well, going to submit a feature request about this, as its problematic if items like ZULU wants to be used with no outside access to port 80 and 443, there’s no way to automate the SSL process without hacking up the system somehow.
There’s already a two year+ ticket open. @xrobau had actually done an initial (very incomplete/not functional) commit.
I started with that, but ultimately went in a slightly different direction. It will be interesting to see if it gets torn apart.
Even when(if) I get to the point of submitting a PR (and I won’t until I think it’s production ready), I would be hesitant to merge if I were in Sangoma’s shoes. It’s a support problem with the all the additional factors it adds that are outside Sangoma’s control - acme.sh itself, the various plugins, varying dns providers and APIs, etc.
Letsencrypt HTTP-01 needs to dynamically update whatever is responding on port 80 at the URL you are trying to issue a certificate for. whereas DNS-01 needs to dynamically update your DNS records, So HTTP-01 needs access to your server whereas DNS-01 needs no access over any port to your server.
Perhaps we can ask what name service are you currently using? you can use
Ive also requested an automated process to “import” a key and crt file, i have those, can get them in to the correct location (/etc/asterisk/keys i think the folder is), however it still needs manual work to then make them live in the system, if that can be automated that would work as well.
These parameters are to install the cert to nginx/apache or any other server after issue/renew a cert:
--cert-file <file> Path to copy the cert file to after issue/renew..
--key-file <file> Path to copy the key file to after issue/renew.
--ca-file <file> Path to copy the intermediate cert file to after issue/renew.
--fullchain-file <file> Path to copy the fullchain cert file to after issue/renew.
--reloadcmd <command> Command to execute after issue/renew to reload the server.
set the --cert-file and key-file to /etc/asterisk/keys/your.domain.(crt and key)
That will work for DNS-01 or HTTP-01 and be fully automated by acme.sh’s cron job
(you will have to fwconsole certificates import;fwconsole certificates --set-default=X after the first time you use acme.sh to issue a certificate and make sure your webserver is using the cert and key in /etc/asterisk/keys)
