The distro has everything built into the web interface, even if you generate your certificate some other way.
Go to Admin - Certificate Management - New Certificate - Upload Certificate and fill everything in from the files you generated using the acme.sh tool.
Go to Admin - System Admin - HTTPS Setup - and follow the instructions. You should be able to pick your cert from the list. This takes care of setting up Apache for you.
Yes I’m aware of the UI…I am specifically looking for a way to perform this via the CLI… preferably using fwconsole or similar.
I want to automate this process end-to-end…I need to use a DNS challenge and it doesn’t sound like the built-in Acme implementation will expose this via the UI anytime soon.
Isn’t their DNS challenge done by making a TXT record in your DNS that they can look up? I’m not sure how the FreePBX GUI is supposed to setup TXT records for your DNS.
I think you can take two different approaches on this.
You can have FreePBX manage your web server. Use the GUI method I described for the first load, and then set up a script in crontab daily that does something like this for renewal:
if (acme --renew)
cp files to /etc/asterisk/keys and overwrite expiring cert
fwconsole certificates --import
fwconsole certificates --default=ID (if you have more than one cert, otherwise, no need)
fwconsole reload # (reload freepbx)
systemctl reload httpd # (reload apache)
You didn’t say whether you are using the certificates for anything other than HTTPS. If you are only using it to secure your admin connection to FreePBX, then you don’t have to integrate with FreePBX at all.
yum install mod_ssl # to install the necessary module and default config for Apache SSL
Then configure apache with a virtualhost for SSL and point to the location of your certificate/key set. The configs are in /etc/httpd/conf.d/
Then your pseudo-script becomes more simple:
if (acme --renew)
cp files to where apache looks for them
systemctl reload httpd