SSL Cert freePBX Ports and FQDN


(Defcomllc) #1

I went to setup a LetsEncrypt SSL cert within FreePBX in order to use Zulu app as it required a valid SSL cert as you know. I setup a subdomain for the freepbx box with my company domain… so…voip.XXXXX.com and have that pointed to my static WAN IP. I then put the FQDN into freePBX.

LetsEncrypt would not generate the cert even with “Responsive LetsEncypt Rules” set to Enable in Firewall>Advanced Settings. I temporarily forwarded ports 80 and 443 in my hardware Security Gateway/Router to my freePBX LAN Static IP and it was able to generate a valid cert no problem. I then immediately turned off port forwarding for 80 and 443…

Zulu is now running great on both my Windows 10 pc (on the same local lan as the freePBX server), and on my Galaxy S20 Ultra 5G. I am able to send and receive calls within Zulu and 2way audio is working. Currently the only ports I have forwarded to my freePBX server is 10000-20000 and my Chan_PJSIP port…which I changed, I dont use the default port. I have no other ports forwarded.

My concern is when the LetsEncrypt goes to renew the cert it wont be able to because I had to open those ports to get it to generate the cert…

Also, I can only get to my freePBX admin page from outside my LAN with my FQDN if I forward port 443 to my freePBX server. Loads right up. If I close port 443 and try to access my freePBX admin page using my FQDN from the outside I get this page

Imgur

My question is…is this the correct config? I only ask because I see on the freePBX/PBXact suggested ports wiki list that 80 and 443 should not be opened up…which I agree with… But how will LetsEncrypt renew its cert? Or will I always have to manually open those ports to renew?

I also see it says not to open your Chan-PJSIP port opened either… I have had that open since I initially setup freePBX 6 months or so ago… It was getting attacked (call attempts in the call log not from me) which all stopped when I changed the Chan_PJSIP port to something different than default.


#2

For LetsEncrypt, port 80 MUST be forwarded to the FreePBX box. Port 443 doesn’t matter.

With Responsive LE Rules enabled, port 80 will only be exposed to un-trusted IPs for the few seconds of the active certificate request.

Best practice is to enable Responsive LE Rules, run the http Admin interface on a port other than 80, and then enable the LetsEncrypt service on port 80.

At that point the iptables should silently drop port 80 traffic outside an active request. If there ends up being a firewall config error and a port 80 request gets through, Apache itself will reject requests attempting to access anything outside the LE auth folders.


(Defcomllc) #3

Thanks for the reply! I actually found another thread discussing this very issue after I posted this which the final resolution in that thread is exactly what you just posted. I changed my Admin port to something other than 80… and turned port 80 on LetsEncrypt in port mgmt then forwarded port 80 in my hardware firewall to freePBX Server… Thank you!