FreePBX, SelfSigned Certs, & Let's Encrypt



  • Well, this is driving me insane. I have a FreePBX box with a self signed cert. I was able to access the box fine from my Macbook with both Safari and Chrome. With Chrome, I just your standard "your connection is not private, and then the option to proceed anyway. However, a co-worker of mine needed to connect via his Windows 10 box, and he cant. from my Windows VM, neither can I. Chrome gives a "NET::ERR_CERT_INVALID" error and "You cannot visit pbx.domain.com right now because the website sent scrambled credentials that Google Chrome cannot process." with no option to proceed. That's issue number 1 that I'd like to get working.

    As an alternative, FreePBX now has Let's Encrypt functionality build right into the cert manager. So, I gave that a shot. For the host name, I put in the proper DNS name of my PBX box (pbx.domain.com) An A record was already created at my registrar for this DNS name/IP. I get the error "There was an error updating the certificate: Token did not match"

    Any suggestions for either problem?

    Thanks!



  • @fuznutz04 Let's Encrypt has to talk back to your PBX. Is port 80/443 routed publicly to your PBX (even temporarily)?



  • Bingo. Just as I was reading your reply, I remembered that I had previously setup a .htaccess redirect to auto redirect 80 to 443 just to ensure that nobody tries to manage the box thorugh port 80. I disabled that temporarily and it worked right away. The cert is only valid for 3 months. Do you know if this will auto renew via the cert manager in FreePBX, or is it a manual process?

    Thanks!



  • @fuznutz04 said in FreePBX, SelfSigned Certs, & Let's Encrypt:

    Bingo. Just as I was reading your reply, I remembered that I had previously setup a .htaccess redirect to auto redirect 80 to 443 just to ensure that nobody tries to manage the box thorugh port 80. I disabled that temporarily and it worked right away. The cert is only valid for 3 months. Do you know if this will auto renew via the cert manager in FreePBX, or is it a manual process?

    Thanks!

    I have not used the FreePBX cert manager yet, so I have no idea if it handles the renew or not.



  • @fuznutz04 said in FreePBX, SelfSigned Certs, & Let's Encrypt:

    Bingo. Just as I was reading your reply, I remembered that I had previously setup a .htaccess redirect to auto redirect 80 to 443 just to ensure that nobody tries to manage the box thorugh port 80. I disabled that temporarily and it worked right away. The cert is only valid for 3 months. Do you know if this will auto renew via the cert manager in FreePBX, or is it a manual process?

    Thanks!

    You can automate it, but you need to do some work to make it happen. Looks like the new certbot-auto makes it way easier. In your case I'd do a small script to open port 80, do the renewal, and reapply the security settings. The renewal is REALLY easy now, this is the crontab entry I'm using for it.

    @weekly /path/certbot-auto renew -q


  • @travisdh1 said in FreePBX, SelfSigned Certs, & Let's Encrypt:

    @fuznutz04 said in FreePBX, SelfSigned Certs, & Let's Encrypt:

    Bingo. Just as I was reading your reply, I remembered that I had previously setup a .htaccess redirect to auto redirect 80 to 443 just to ensure that nobody tries to manage the box thorugh port 80. I disabled that temporarily and it worked right away. The cert is only valid for 3 months. Do you know if this will auto renew via the cert manager in FreePBX, or is it a manual process?

    Thanks!

    You can automate it, but you need to do some work to make it happen. Looks like the new certbot-auto makes it way easier. In your case I'd do a small script to open port 80, do the renewal, and reapply the security settings. The renewal is REALLY easy now, this is the crontab entry I'm using for it.

    @weekly /path/certbot-auto renew -q
    

    Actually, now that he has a valid certificate, he should not need to open port 80.



  • @JaredBusch said in FreePBX, SelfSigned Certs, & Let's Encrypt:

    @travisdh1 said in FreePBX, SelfSigned Certs, & Let's Encrypt:

    @fuznutz04 said in FreePBX, SelfSigned Certs, & Let's Encrypt:

    Bingo. Just as I was reading your reply, I remembered that I had previously setup a .htaccess redirect to auto redirect 80 to 443 just to ensure that nobody tries to manage the box thorugh port 80. I disabled that temporarily and it worked right away. The cert is only valid for 3 months. Do you know if this will auto renew via the cert manager in FreePBX, or is it a manual process?

    Thanks!

    You can automate it, but you need to do some work to make it happen. Looks like the new certbot-auto makes it way easier. In your case I'd do a small script to open port 80, do the renewal, and reapply the security settings. The renewal is REALLY easy now, this is the crontab entry I'm using for it.

    @weekly /path/certbot-auto renew -q
    

    Actually, now that he has a valid certificate, he should not need to open port 80.

    Nice, just drop that into cron and call it a day then.



  • @JaredBusch said in FreePBX, SelfSigned Certs, & Let's Encrypt:

    @travisdh1 said in FreePBX, SelfSigned Certs, & Let's Encrypt:

    @fuznutz04 said in FreePBX, SelfSigned Certs, & Let's Encrypt:

    Bingo. Just as I was reading your reply, I remembered that I had previously setup a .htaccess redirect to auto redirect 80 to 443 just to ensure that nobody tries to manage the box thorugh port 80. I disabled that temporarily and it worked right away. The cert is only valid for 3 months. Do you know if this will auto renew via the cert manager in FreePBX, or is it a manual process?

    Thanks!

    You can automate it, but you need to do some work to make it happen. Looks like the new certbot-auto makes it way easier. In your case I'd do a small script to open port 80, do the renewal, and reapply the security settings. The renewal is REALLY easy now, this is the crontab entry I'm using for it.

    @weekly /path/certbot-auto renew -q
    

    Actually, now that he has a valid certificate, he should not need to open port 80.

    not even for renew? that will be nice.



  • @Dashrender said in FreePBX, SelfSigned Certs, & Let's Encrypt:

    @JaredBusch said in FreePBX, SelfSigned Certs, & Let's Encrypt:

    @travisdh1 said in FreePBX, SelfSigned Certs, & Let's Encrypt:

    @fuznutz04 said in FreePBX, SelfSigned Certs, & Let's Encrypt:

    Bingo. Just as I was reading your reply, I remembered that I had previously setup a .htaccess redirect to auto redirect 80 to 443 just to ensure that nobody tries to manage the box thorugh port 80. I disabled that temporarily and it worked right away. The cert is only valid for 3 months. Do you know if this will auto renew via the cert manager in FreePBX, or is it a manual process?

    Thanks!

    You can automate it, but you need to do some work to make it happen. Looks like the new certbot-auto makes it way easier. In your case I'd do a small script to open port 80, do the renewal, and reapply the security settings. The renewal is REALLY easy now, this is the crontab entry I'm using for it.

    @weekly /path/certbot-auto renew -q
    

    Actually, now that he has a valid certificate, he should not need to open port 80.

    not even for renew? that will be nice.

    It should renew on HTTPS as long as the HTTPS is currently valid.



  • @travisdh1 said in FreePBX, SelfSigned Certs, & Let's Encrypt:

    @fuznutz04 said in FreePBX, SelfSigned Certs, & Let's Encrypt:

    Bingo. Just as I was reading your reply, I remembered that I had previously setup a .htaccess redirect to auto redirect 80 to 443 just to ensure that nobody tries to manage the box thorugh port 80. I disabled that temporarily and it worked right away. The cert is only valid for 3 months. Do you know if this will auto renew via the cert manager in FreePBX, or is it a manual process?

    Thanks!

    You can automate it, but you need to do some work to make it happen. Looks like the new certbot-auto makes it way easier. In your case I'd do a small script to open port 80, do the renewal, and reapply the security settings. The renewal is REALLY easy now, this is the crontab entry I'm using for it.

    @weekly /path/certbot-auto renew -q
    

    Nice. I'll give that a shot. I also temporarily added the outbound1.letsencrypt.org, outbound2.letsencrypt.org, mirror1.freepbx.org, mirror2.freepbx.org domains to the trusted zone in the responsive firewall. Then removed them afterwards since these are needed to get the cert. I guess I could also just write some firewall rules instead. Is anyone else doing this?



  • @fuznutz04 said in FreePBX, SelfSigned Certs, & Let's Encrypt:

    @travisdh1 said in FreePBX, SelfSigned Certs, & Let's Encrypt:

    @fuznutz04 said in FreePBX, SelfSigned Certs, & Let's Encrypt:

    Bingo. Just as I was reading your reply, I remembered that I had previously setup a .htaccess redirect to auto redirect 80 to 443 just to ensure that nobody tries to manage the box thorugh port 80. I disabled that temporarily and it worked right away. The cert is only valid for 3 months. Do you know if this will auto renew via the cert manager in FreePBX, or is it a manual process?

    Thanks!

    You can automate it, but you need to do some work to make it happen. Looks like the new certbot-auto makes it way easier. In your case I'd do a small script to open port 80, do the renewal, and reapply the security settings. The renewal is REALLY easy now, this is the crontab entry I'm using for it.

    @weekly /path/certbot-auto renew -q
    

    Nice. I'll give that a shot. I also temporarily added the outbound1.letsencrypt.org, outbound2.letsencrypt.org, mirror1.freepbx.org, mirror2.freepbx.org domains to the trusted zone in the responsive firewall. Then removed them afterwards since these are needed to get the cert. I guess I could also just write some firewall rules instead. Is anyone else doing this?

    Why do you want your PBX open to the public internet? Do your users actually use the UCP?



  • @JaredBusch said in FreePBX, SelfSigned Certs, & Let's Encrypt:

    Why do you want your PBX open to the public internet? Do your users actually use the UCP?

    They are using a VPS 🙂

    http://mangolassi.it/topic/8675/freepbx-on-vps



  • @JaredBusch said in FreePBX, SelfSigned Certs, & Let's Encrypt:

    @fuznutz04 said in FreePBX, SelfSigned Certs, & Let's Encrypt:

    @travisdh1 said in FreePBX, SelfSigned Certs, & Let's Encrypt:

    @fuznutz04 said in FreePBX, SelfSigned Certs, & Let's Encrypt:

    Bingo. Just as I was reading your reply, I remembered that I had previously setup a .htaccess redirect to auto redirect 80 to 443 just to ensure that nobody tries to manage the box thorugh port 80. I disabled that temporarily and it worked right away. The cert is only valid for 3 months. Do you know if this will auto renew via the cert manager in FreePBX, or is it a manual process?

    Thanks!

    You can automate it, but you need to do some work to make it happen. Looks like the new certbot-auto makes it way easier. In your case I'd do a small script to open port 80, do the renewal, and reapply the security settings. The renewal is REALLY easy now, this is the crontab entry I'm using for it.

    @weekly /path/certbot-auto renew -q
    

    Nice. I'll give that a shot. I also temporarily added the outbound1.letsencrypt.org, outbound2.letsencrypt.org, mirror1.freepbx.org, mirror2.freepbx.org domains to the trusted zone in the responsive firewall. Then removed them afterwards since these are needed to get the cert. I guess I could also just write some firewall rules instead. Is anyone else doing this?

    Why do you want your PBX open to the public internet? Do your users actually use the UCP?

    No, they don't. We need to have it open as it is hosted elsewhere.



  • @fuznutz04 said in FreePBX, SelfSigned Certs, & Let's Encrypt:

    @JaredBusch said in FreePBX, SelfSigned Certs, & Let's Encrypt:

    @fuznutz04 said in FreePBX, SelfSigned Certs, & Let's Encrypt:

    @travisdh1 said in FreePBX, SelfSigned Certs, & Let's Encrypt:

    @fuznutz04 said in FreePBX, SelfSigned Certs, & Let's Encrypt:

    Bingo. Just as I was reading your reply, I remembered that I had previously setup a .htaccess redirect to auto redirect 80 to 443 just to ensure that nobody tries to manage the box thorugh port 80. I disabled that temporarily and it worked right away. The cert is only valid for 3 months. Do you know if this will auto renew via the cert manager in FreePBX, or is it a manual process?

    Thanks!

    You can automate it, but you need to do some work to make it happen. Looks like the new certbot-auto makes it way easier. In your case I'd do a small script to open port 80, do the renewal, and reapply the security settings. The renewal is REALLY easy now, this is the crontab entry I'm using for it.

    @weekly /path/certbot-auto renew -q
    

    Nice. I'll give that a shot. I also temporarily added the outbound1.letsencrypt.org, outbound2.letsencrypt.org, mirror1.freepbx.org, mirror2.freepbx.org domains to the trusted zone in the responsive firewall. Then removed them afterwards since these are needed to get the cert. I guess I could also just write some firewall rules instead. Is anyone else doing this?

    Why do you want your PBX open to the public internet? Do your users actually use the UCP?

    No, they don't. We need to have it open as it is hosted elsewhere.

    Did not recall your prior topic as @aaronstuder pointed out for me. Perfectly valid reason.



  • Circling back on this. FreePBX now includes Let's Encrypt in the Certificate Manager module.



  • @JaredBusch said in FreePBX, SelfSigned Certs, & Let's Encrypt:

    Circling back on this. FreePBX now includes Let's Encrypt in the Certificate Manager module.

    Right, and automatically attempts to renews the let's encrypt certs a few weeks before expiration. No need to write a job yourself!



  • @JaredBusch said in FreePBX, SelfSigned Certs, & Let's Encrypt:

    Circling back on this. FreePBX now includes Let's Encrypt in the Certificate Manager module.

    @fuznutz04 said in FreePBX, SelfSigned Certs, & Let's Encrypt:

    @JaredBusch said in FreePBX, SelfSigned Certs, & Let's Encrypt:

    Circling back on this. FreePBX now includes Let's Encrypt in the Certificate Manager module.

    Right, and automatically attempts to renews the let's encrypt certs a few weeks before expiration. No need to write a job yourself!

    Way to Let's Encrypt and FreePBX!!



  • Yeah, that's a really awesome feature.