I would like to just buy a wild card cert and apply the cert to all of the PBXs. I know how to do this via FreePBX obviously, but is there a way to full automate this via the CLI?
I can place the files into the /etc/asterisk/keys folder - Done
Can I then do the following via a script? :
Import the cert
Set it as default
Assign the SSL to HTTPS. (typically done via SysAdmin)
Finally, when that cert expires (actually, before the cert expires) could I just copy a new set of cert files into the /etc/asterisk/keys folder and reboot the PBX to pickup the new cert?
The FreePBX GUI won’t let you do a wildcard cert, but you can with most of the LetsEncrypt command line clients like acme.sh or certbot.
I don’t really like wildcard certs, you can have a single cert with multiple alternate names - also supported by the command line clients (not the GUI). But it’s also easy enough to automate individual certs with LetsEncrypt.
FreePBX doesn’t really care either way - single name, multiple name or wildcard - its all the same once you have a valid cert.
On the FreePBX side of things, fwconsole certificates gives enough control to import/set defaults/etc.
Basically, the only way to have Let’s encrypt properly renewing is to expose port 80 to the world. Although it is exposed only for Lets Encrypt use, it is still exposed. I have no way of determining if that is a valid security risk or not.
But, by getting a wildcard SSL cert, I don’t have to expose port 80 to anything. However, when the cert expires, I will have to touch each PBX and update the cert. If I can automate this, then this is a no brainer for me. The problem is, I don’t know of a way to assign the SSL cert to Apache via the CLI. In the GUI, you would go to SysAdmin --> Https Setup. Then select your cert from the Certificate manager, and then click the Install button. Can this be done from the CLI?
by whatever method you get them, put the cert and key in /etc/asterisk/keys and have your webserver ssl config point to that location. Then have the gui ‘import’ them.
is one acme client that is easy to understand, supports DNS-01 and wild cards.
It will take all of 5 minutes to get acme.sh setup to open the port only for the 20 seconds or so of the actual request. The exposure in such cases is negligible.
A little more effort to get dns-01 verification setup, but then no open ports at all.
For less clutter, you should probably delete all certs/keys in the GUI first, then set up the newly imported one as the default ( you only have to do that once, not every couple of months)
Just FYI, wildcard certs are not valid for SIP. However, they usually work ok. Funny thing is that pjsip acting as a client will reject a remote server with a wildcard cert unless you turn off validation. Better not to use them, and instead use individual or multi-name certs.