FreePBX | Register | Issues | Wiki | Portal | Support

Using CLI to manage certificates. What command to set HTTPS and reload apache?


#1

I’m working on using Acme.sh to generate a LE certificate using DNS challenge (that the built-in LE client doesn’t support yet in the GUI).

Proposed workflow:

  1. Use Acme.sh to issue a certificate and place the .key and .crt in /etc/asterisk/keys (done).
  2. Use fwconsole chown to potentially fix permissions on the .key and .crt file (done).
  3. Use fwconsole certificates --import to import this new certificate (done).
  4. Set this new certificate as the HTTPS certificate (NEED).
  5. Reload Apache (maybe fwconsole reload ?) (NEED).

#2

FreePBX Distro (SangomaOS)? If not, what OS?


#3

Yes, the FreePBX Distro


#4

The distro has everything built into the web interface, even if you generate your certificate some other way.

Go to Admin - Certificate Management - New Certificate - Upload Certificate and fill everything in from the files you generated using the acme.sh tool.

Go to Admin - System Admin - HTTPS Setup - and follow the instructions. You should be able to pick your cert from the list. This takes care of setting up Apache for you.


#5

Yes I’m aware of the UI…I am specifically looking for a way to perform this via the CLI… preferably using fwconsole or similar.

I want to automate this process end-to-end…I need to use a DNS challenge and it doesn’t sound like the built-in Acme implementation will expose this via the UI anytime soon.


#6

fwconsole setting --list|grep -i cert

Might get you started

CERTKEYLOC would need to readable by asterisk


(Tom Ray) #7

Isn’t their DNS challenge done by making a TXT record in your DNS that they can look up? I’m not sure how the FreePBX GUI is supposed to setup TXT records for your DNS.


#8

I think you can take two different approaches on this.

You can have FreePBX manage your web server. Use the GUI method I described for the first load, and then set up a script in crontab daily that does something like this for renewal:

if (acme --renew)
cp files to /etc/asterisk/keys and overwrite expiring cert
fwconsole certificates --import
fwconsole certificates --default=ID (if you have more than one cert, otherwise, no need)
fwconsole reload # (reload freepbx)
systemctl reload httpd # (reload apache)


You didn’t say whether you are using the certificates for anything other than HTTPS. If you are only using it to secure your admin connection to FreePBX, then you don’t have to integrate with FreePBX at all.

yum install mod_ssl # to install the necessary module and default config for Apache SSL

Then configure apache with a virtualhost for SSL and point to the location of your certificate/key set. The configs are in /etc/httpd/conf.d/

Then your pseudo-script becomes more simple:

if (acme --renew)
cp files to where apache looks for them
systemctl reload httpd


Hope that helps a bit.


(system) closed #9

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.