Wildcard SSL certificate & Automation


(Lucas Ryan) #1

I have a number of FPBX servers that all use a sub domain. For example:
PBX1 = - 1.domain.net
PBX2 = 2.domain.net
PBX3 = 3.domain.net
Etc

I would like to just buy a wild card cert and apply the cert to all of the PBXs. I know how to do this via FreePBX obviously, but is there a way to full automate this via the CLI?

I can place the files into the /etc/asterisk/keys folder - Done
Can I then do the following via a script? :

  1. Import the cert
  2. Set it as default
  3. Assign the SSL to HTTPS. (typically done via SysAdmin)

Finally, when that cert expires (actually, before the cert expires) could I just copy a new set of cert files into the /etc/asterisk/keys folder and reboot the PBX to pickup the new cert?

Would any of this work?


#2

Just curious, why “buy” vs LetsEncrypt?

The FreePBX GUI won’t let you do a wildcard cert, but you can with most of the LetsEncrypt command line clients like acme.sh or certbot.

I don’t really like wildcard certs, you can have a single cert with multiple alternate names - also supported by the command line clients (not the GUI). But it’s also easy enough to automate individual certs with LetsEncrypt.

FreePBX doesn’t really care either way - single name, multiple name or wildcard - its all the same once you have a valid cert.

On the FreePBX side of things, fwconsole certificates gives enough control to import/set defaults/etc.


(Lucas Ryan) #3

This is all coming from the problems outlined in this post: Let's Encrypt Certificate renewals failing

Basically, the only way to have Let’s encrypt properly renewing is to expose port 80 to the world. Although it is exposed only for Lets Encrypt use, it is still exposed. I have no way of determining if that is a valid security risk or not.

But, by getting a wildcard SSL cert, I don’t have to expose port 80 to anything. However, when the cert expires, I will have to touch each PBX and update the cert. If I can automate this, then this is a no brainer for me. The problem is, I don’t know of a way to assign the SSL cert to Apache via the CLI. In the GUI, you would go to SysAdmin --> Https Setup. Then select your cert from the Certificate manager, and then click the Install button. Can this be done from the CLI?


#4

by whatever method you get them, put the cert and key in /etc/asterisk/keys and have your webserver ssl config point to that location. Then have the gui ‘import’ them.

is one acme client that is easy to understand, supports DNS-01 and wild cards.


#5

It will take all of 5 minutes to get acme.sh setup to open the port only for the 20 seconds or so of the actual request. The exposure in such cases is negligible.

A little more effort to get dns-01 verification setup, but then no open ports at all.


(Lucas Ryan) #6

So “have the gui import them’” with this tool would just be using the acme client to deploy the ssl certs to apache as described here? https://github.com/acmesh-official/acme.sh/wiki/Deploy-ssl-certs-to-apache-server


#7

A little like that but you are probably using httpd as apache2 so change the destination of the cert and key to /etc/asterisk/keys/

./acme.sh --install-cert -d online.domain.com \
--cert-file /etc/asterisk/keys/online.domain.com.crt \
--key-file /etc/asterisk/keys/online.domain.com.key \
--reloadcmd "service httpd reload;fwconsole certificate --udpdateall"

and the webserver ssl conf file gets them from the same place , much like

SSLCertificateFile /etc/asterisk/keys/online.domain.com.crt
SSLCertificateKeyFile /etc/asterisk/keys/online.domain.com.key

(Lucas Ryan) #8

Awesome. I’m going to give this a try.

Thanks


#9

For less clutter, you should probably delete all certs/keys in the GUI first, then set up the newly imported one as the default ( you only have to do that once, not every couple of months)


#10

Just FYI, wildcard certs are not valid for SIP. However, they usually work ok. Funny thing is that pjsip acting as a client will reject a remote server with a wildcard cert unless you turn off validation. Better not to use them, and instead use individual or multi-name certs.


(Dan) #11

…or to use DNS validation. Here’s the thread where I asked a very similar question:

I think the posts there will be helpful.