Want to install the HTTPS Cert we already use on our public domain into FreePBX

(Big Chief) #1

Hi, we have a public domain with a wildcard certificate (*.ourdomain.com) that we purchased from GoDaddy.

I made a public DNS entry that resolves to our phone server’s private IP (phones.ourdomain.com resolves to 192.168.1.x), so that it only resolves if the user is on our network or VPN, which is how I want it.

Our web guy gave me the “.crt” certificate file, so how can I remove all the current FreePBX Distro self-signed certs, and install just this one? If I go into “System Admin -> HTTPS Setup -> Install Cert” and paste it in as a certificate, FreePBX still acts as if it is a self-signed certificate. The end result is that I want Chrome to give us the nice HTTPS “green lock icon”, so that our UCP scripts can execute properly.

(Dave Burgess) #2

There’s a key file that (I think) you’re going to need on the server to make the connection click.

(Andrew Nagy) #3

You need a private key and the cert file. You can’t just do it with the cert file. You need both.

(Big Chief) #4

OK, thanks, I do have the key file as well. I didn’t mention it because the web guy (incorrectly, apparently) told me I wouldn’t need it.

Does anyone know the actual steps then to insert our cert and key file? There’s nothing in the wiki for putting in our own; as I was saying, if I use the GUI then FreePBX still acts like it is self-signed.

(Big Chief) #5

What I mean is, in (System Admin -> HTTPS Setup -> Install Cert), there’s only fields to paste in the certificate, and paste in the “Trusted Chain” if applicable, nothing about the key.

If there were non-GUI instructions like “SSH into the server, delete the old cert out of this directory, name your CA-signed cert and key to these file names and drop them here”, I could certainly handle that, but I can’t seem to Google a definitive answer.

(Big Chief) #6

The .CRT file I was given contains “-----BEGIN CERTIFICATE-----/-----END CERTIFICATE-----”

and the .KEY file contains “-----BEGIN RSA PRIVATE KEY-----/-----END RSA PRIVATE KEY-----”

So can I just paste them both at once into the single “Install Cert” field at once and it will combine them?

(Big Chief) #7

Well, pasting them into the “Install Cert” GUI didn’t work, but I did sit down with the web guy and we figured out how to do it in the SSH.

The answers are all in /etc/httpd/conf.d/ssl.conf

You have to use a text editor like vim, create a .crt file in /etc/pki/tls/certs/ then paste in the text from your crt file, then do the same for the .key file in /etc/pki/tls/private/ and finally edit the ssl.conf to comment out the old CRT and KEY and put in the paths to the new ones you make, like so:

Server Certificate:

Point SSLCertificateFile at a PEM encoded certificate. If

the certificate is encrypted, then you will be prompted for a

pass phrase. Note that a kill -HUP will prompt again. A new

certificate can be generated using the genkey(1) command.

#SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateFile /etc/pki/tls/certs/NEW.crt

Server Private Key:

If the key is not combined with the certificate, use this

directive to point at the key file. Keep in mind that if

you’ve both a RSA and a DSA private key you can configure

both in parallel (to also allow the use of DSA ciphers, etc.)

#SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
SSLCertificateKeyFile /etc/pki/tls/private/NEW.key

Then just run “service httpd restart” and the new certificates take effect.

Afterwards we also ran “vim /var/www/html/.htaccess” to create an .htaccess file, and pasted into it:

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

which immediately forces all traffic from the “http” on the server to “https”

Best practice to disable Port 80 (HTTP) in Distro?
(Andrew Nagy) #8

Are you using FreePBX 13? If so I am tasked with fixing this and making it easier. Starting today. For HTTPS/TLS/STRP and others. Maybe there will be something by the end of this week

(Big Chief) #9

I am using FreePBX 13 Distro, yes. I’m all set for now, but I do appreciate your work with the GUI… I’m a Windows admin by trade so I have to fumble around and ask other employees for help when the GUI can’t handle something and I have to use the CLI.

Easy SRTP setup would be cool; our primary trunk Twilio supports it.

(Big Chief) #10

Actually, I could still use some more help… even though I got the HTTPS certificate working and Chrome is cool with it, it still tosses up the “Scripts from Unauthenticated Sources” shield icon in UCP, because UCP is apparently serving content from "http://ourdomain.com:8001/socket.io/?" and that needs to be HTTPS when it is just HTTP.

I’m also asking iSymphony for the exact steps to enable SSL on their portal; that one looks like a real bear as they have their own security.xml and the iSymphony FreePBX Module as well.

So, anything to make those procedures a little easier (or at least a real walkthrough) would be awesome. If I figure it out first I’ll be happy to post steps here as always.

(Andrew Nagy) #11

There is no procedure for this. This is what we are working on this week.

(Big Chief) #12

Oh, great! Looking forward to it; let me know if you need me to test it out.

(JarJar Swope) #13

My ssl certs works great with UCP. no issues at all

(Andrew Nagy) #14

You aren’t using UCP Node nor WebRTC.

(Rob Thomas) #15

@tm1000 has spent the last few days of his life caring deeply about X509, PKI and TLS. I’m pretty sure he’s wishing he never dived down this rabbit hole, but when he emerges, everything’s going to be kittens and butterflies.

Edit: SECURE Kittens and ENCRYPTED butterflies.

(JarJar Swope) #16

Is UCP and UCP node two different modules…?

(Andrew Nagy) #17

They are indeed…

(JarJar Swope) #18

ahhhh ok i didnt know that

(JarJar Swope) #19

since we are talking about UCP… Where are the ucp php/html files. I want to add a custom logo to the UCP login Screen

(JarJar Swope) #20

Nevermind I found them :slight_smile: