This thread seems to have gone extra complicated for unknown reason… let me just suggest that you can buy a legit certificate from namecheap for $7.50 or so (find a coupon) and it will be good for a whole year. Now apply it to your pfsense and your FreePBX services and be done until 2023.
Let’s Encrypt is a good concept but only if you value your time at less than $7.50.
LE states that they only offer domain-validated certificates, not certificates for IP addresses.
It’s funny that you said that as I had just looked at two threads on the subject and methods to automate the renewal process and said to myself “this is getting very complicated.”
What you said would have saved two weeks of sorting through so much misinformation or half of the story. I found out that Lets Encrypt doesn’t reveal or include the IP
The only problem there is what if one doesn’t want their domain resolvable…say one doesn’t want to reveal mypbx.example.net to the world, or one needs the multiple sub-domain as in my case, which would involve three…racking up expense Lets Encrypt was designed to help us avoid.
If so do not use Lets Encrypt. Domains using Lets Encrypt are public.
Yes, that’s why one registered a domain then use a sub-domain of that domain that is not facing the public and is only for internal use. The example.net is public…the sub-domain mypbx of example.net is not public…it’s private…correct?
Actually, what I am suspecting why the Lets Encrypt certificate did work last night is that I am behind a firewall. However, it is a stateful firewall and the request came from its DMZ, so I am not understanding what’s happening and why one needed to have port 80 open to the world on a stateful firewall.
So, the topic went sideways…
Use DNS-01 challenges with a name-service under your control and you wont have to worry about firewalls.
Because there is a presumption that a web server on port 80 of a domain is under firm control of the management for that domain, whereas other open ports might be controlled by people less concerned about the business.
Although it’s called LetsEncrypt, the service they are actually providing is actually about authentication. That’s what all the certification authorities are providing.
I am glad your responding and was looking for where the DNS challenge was…had expected a drop down menu to choose…how do I go about doing that?
Was thinking to send you a message after I saw the thread: Wildcard SSL certificate & Automation although it seems complicated.
But, the request is sent from behind the stateful firewall; just like, upgrading FreePBX from behind the same stateful firewall gets upgraded. Isn’t the same process? Although I have a voip server, it’s only open to my SIP Trunk technically.
There is no ‘drop-down’ because the FreePBX acme client is terminally lame 
I think I already suggested to you
It is a simple set of shell scripts that can issue ‘free’ certificates from LE and ZeroSSL and includes recipes for about a hundred name service hooks for DNS-01 plus some few ‘deployment hooks’ for devices that TLS will commonly be used for passed-though/proxy-ed connections.
Consider the link itself as where you can RTFM 
Thank you Dicko…that suggestion was on another thread. The suggestion you gave to me was HAproxy.
It will take a day or two to grasp since I have never install anything on FreePBX. Wished I could have linked FreePBX to pfSense to do the certificate and renewal since that package app is available there. It’s now time to go RTFM 
and start sweating…
acme.sh has an effective deployment hook for haproxy which unloads the backends which would be just http/tcp, so including the FreePBX gui, from needing certs at all.
You know, I asked this very question on pfSense because based on my test with HAproxy it seems that I would not need to actually install the certificate on FreePBX. However, since I had to get a real domain, I thought why not add the certificate to FreePBX as well as the phone…that quickly became a steep learning curve as I had thought that the ACME package on pfSense could take care of all, no problem.
tl;dr
I wouldn’t reuse certificates issued against any of my http/https available services for any of my TCP/TLS only services unless I am very sure that such a service cannot leak it’s domain to IP connections. ( I am pretty sure mine can’t though but still issue certs against bizarrely named domains bought for less than $10/year from namecheap)
I am seriously considering do this positiveSSL on that site is going for $5.99 as the new ACME package seems to be not cooperating. Wasted for more $/hr dealing with this Lets Encrypt that I responded to the company engineer welcome message saying it they had charged $1.50, I would an SSL last week.
Not sure what ACME package you speak of, but whatever works for you is fine of course
It’s the Acme package of pfSense just had a new release yesterday…could be broken as it is presenting the same exact issue as a earlier post from 2019 describes and the fix was pushing another.
Hey Dicko, It turned out that it was not the Acme package but that my domain registrar did not support DNS-NSupdate-RFC2136. Got certificate all is well on that matter.
I suggest that you will find acme.sh more beneficent.
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.