Valid *,domain.tld certificates for TLS

Hi, will valid *.domain.tld work TLS or SSL if entered into Certificate Management? I know they work for https access but want to be sure about TLS.

Its not recommend to use a wildcard.

Most likely it will work if everything in the stack supports it. I’ve used them in test systems many times.

Not sure that you can use Let’s Encrypt to automatically obtain a wildcard certificate through FreePBX as that requires DNS authentication method and that’s not an option in FreePBX.

I think it should work if you manually import and manage a valid wildcard certificate.

The basic problem with using them is that if one machine using them gets compromised, all of them are compromised.

Hi, thank you for your responses. We don’t use letsencrypt. We used signed CA certs. In as much as being compromised. That is the bottom of the list of probabilities for a variety of good reasons. And it has not happened since starting around 2012. I just sort of remembered one person long time ago saying *.domain.tld will not work with SIP for some reason. Not sure why it wouldn’t but I will give it a try on our own FreePBX 16 server and report it back here so we all have a clear idea.

Now this is interesting. In certificate manager, deleted the old cert and then added the new *.domain.tld key, cert and ca bundle. Clicked default to set this new cert as default.

Ran openssl from remote ubuntu server that has access to used tls port and if comes back with certificate has expired. When looking at the last 5 characters of the cert listed in the openssl report, it is NOT the same as the certificate just uploaded to the FreePBX server.

Not Before: May 30 00:00:00 2022 GMT
Not After : Jun 29 23:59:59 2023 GMT

Will have to find where the GUI stores these keys and wipe it clean manually.

Went into /etc/asterisk/keys and deleted the names of the *.domain.tld . Then in cert manager, deleted the certificate. Added back to cert manager the current valid *,domain.tld private key, certificate and ca bundle. Then set it as default. Ran the ssl validation and again same crap, it has the old expired cert.

Checked in /etc/asterisk/keys and the new files were created but they are not used for some unknown reason.

Presumably this is a bug.

Adding the certificates in the Certificate Manager doesn’t actually tell FreePBX to use them. You need to go to Admin → System Admin → HTTPS Setup → Settings and actually tell the GUI to use the certificate that you just loaded in the certificate manager.

Same goes for the various SIP protocols under Settings → Asterisk SIP Settings. You need to specify what certificate each protocol should use if you want to use SIP over TLS.

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.