Should I create a certificate using ACME/Letsencrypt of pfSense then import it into FreePBX, or use Letsencrypt on FreePBX to create the certificate, or it doesn’t matter?
Do you want to do it manually every three months? Then set it on pfsense 
I saw the light…was thinking it would automatically know the path…thank you PitzKey for responding.
Like most security questions the answer will depend on a detailed analysis of the threats in your environment, and the consequences of a breach. These are things that you should probably not detail on a public forum.
However, I would point out that the answer could be: “none of the above”, e.g.:
- encryption not needed;
- required level of authentication requires a certificate from an upmarket CA;
- required level of authentication requires a corporate certificate (often loosely called self signed);
- no authentication needed (TLS supports Diffie Hellman exchange, and it looks like it is or was possible to compile asterisk to support that, and for DTLS, Asterisk supports ephemeral certificates, and of course a certificate might only be needed to work around requirements imposed by the TLS implementations);
- Limited authentication and only media encryption required (although Asterisk doesn’t support ZRTP).
Typically certificates are being used by phones to authenticate the PABX, and the PABX uses normal SIP methods to authenticate the phones. Although the phone could have its own certificate, I don’t think that Asterisk verifies the name of the phone against the certificate, so LetsEncrypt provides no assurance that the the phone is legitimate. I don’t know to what extent phones verify the name of the PABX,
Thanks David55 for responding…actually, I came back to ask that very question of whether letsencrypt on FreePBX do the phone as well. The phone is the Htek enterprise phone (UC924) can handle the certificate but I am not sure of the renewal process. What is the experience of members…do they need to manually renew the phones or FreePBX takes care of that matter? I just want to make my DMZ where FreePBX lives airtight.
As I suggested, there is no point in having a LetsEncrypt certificate for the phone, not that would be easy to do, unless the PABX checks the identity of the phone against the common name in the certificate, as anyone can obtain a LetsEncrypt certificate that will pass the test of whether or not the certificate is validly signed, which is, I think, the most that Asterisk will do.
As I see it, with Asterisk, the only way TLS can be used to authenticate the phone is if, you run your own corporate CA and that CA is the only one for which you install a CA certificate on Asterisk. This is commonly referred to as a self signed certificate, but it is only the CA certificate that is actually self signed, and there is always a self signed certificate at the top of any trust chain.
Hey David, I am not understanding…I registered a legitimate and special domain specifically for this purpose and planned to use as follows: mypbx.example.net and phone.example.net…the common name would be example.net. So, why that would not work?
I thought one must have a valid domain that one has control over (owned) to get a Letsencrypt certificate. I just went through this very issue using ACME on pfSense and was rudely informed that the name couldn’t resolve. That’s when others explain that to get a valid SSL certificate, I must own the common name domain. So, I purchased a domain.
So, earlier I tried Letsencrypt to get a certificate for mypbx.example.net then placed
example.net in the alternate name as the FQDN the proper email address and US state registered to the domain; yet, I get certificate error, Local IP: dns error, Public IP: dns error,
Self test error: Pest_Curl_Exec - Could not resolve host: Unknown error.
Yet, when I plug the name in the browser, it resolves; as well as, when did the same on another computer, it also resolved.
The owner of imposter.com can obtain a LetsEncrypt signed certificate for their domain, and Asterisk will trust it just as much as a certificate for example.net, or even your IP address.
So, then I was wondering why I was getting the error and what part caused the error FreePBX or Asterisk and how to resolve that. Now, in DNS, I had set up just pfSense, but when one opens DNS, it says normally 127.0.0.1 should be first; so, I did that.
That’s why I wanted to use pfSense and ACME to do the certificate because in that application one could place the IP address in SAN…not so on FreePBX.
This thread seems to have gone extra complicated for unknown reason… let me just suggest that you can buy a legit certificate from namecheap for $7.50 or so (find a coupon) and it will be good for a whole year. Now apply it to your pfsense and your FreePBX services and be done until 2023.
Let’s Encrypt is a good concept but only if you value your time at less than $7.50.
LE states that they only offer domain-validated certificates, not certificates for IP addresses.
It’s funny that you said that as I had just looked at two threads on the subject and methods to automate the renewal process and said to myself “this is getting very complicated.”
What you said would have saved two weeks of sorting through so much misinformation or half of the story. I found out that Lets Encrypt doesn’t reveal or include the IP
The only problem there is what if one doesn’t want their domain resolvable…say one doesn’t want to reveal mypbx.example.net to the world, or one needs the multiple sub-domain as in my case, which would involve three…racking up expense Lets Encrypt was designed to help us avoid.
If so do not use Lets Encrypt. Domains using Lets Encrypt are public.
Yes, that’s why one registered a domain then use a sub-domain of that domain that is not facing the public and is only for internal use. The example.net is public…the sub-domain mypbx of example.net is not public…it’s private…correct?
Actually, what I am suspecting why the Lets Encrypt certificate did work last night is that I am behind a firewall. However, it is a stateful firewall and the request came from its DMZ, so I am not understanding what’s happening and why one needed to have port 80 open to the world on a stateful firewall.
So, the topic went sideways…
Use DNS-01 challenges with a name-service under your control and you wont have to worry about firewalls.
Because there is a presumption that a web server on port 80 of a domain is under firm control of the management for that domain, whereas other open ports might be controlled by people less concerned about the business.
Although it’s called LetsEncrypt, the service they are actually providing is actually about authentication. That’s what all the certification authorities are providing.
I am glad your responding and was looking for where the DNS challenge was…had expected a drop down menu to choose…how do I go about doing that?
Was thinking to send you a message after I saw the thread: Wildcard SSL certificate & Automation although it seems complicated.
But, the request is sent from behind the stateful firewall; just like, upgrading FreePBX from behind the same stateful firewall gets upgraded. Isn’t the same process? Although I have a voip server, it’s only open to my SIP Trunk technically.
There is no ‘drop-down’ because the FreePBX acme client is terminally lame
I think I already suggested to you
It is a simple set of shell scripts that can issue ‘free’ certificates from LE and ZeroSSL and includes recipes for about a hundred name service hooks for DNS-01 plus some few ‘deployment hooks’ for devices that TLS will commonly be used for passed-though/proxy-ed connections.
Consider the link itself as where you can RTFM 
Thank you Dicko…that suggestion was on another thread. The suggestion you gave to me was HAproxy.
It will take a day or two to grasp since I have never install anything on FreePBX. Wished I could have linked FreePBX to pfSense to do the certificate and renewal since that package app is available there. It’s now time to go RTFM 
and start sweating…