FreePBX, SelfSigned Certs, & Let's Encrypt

JaredBusch

@fuznutz04 Let's Encrypt has to talk back to your PBX. Is port 80/443 routed publicly to your PBX (even temporarily)?

AdamF

Bingo. Just as I was reading your reply, I remembered that I had previously setup a .htaccess redirect to auto redirect 80 to 443 just to ensure that nobody tries to manage the box thorugh port 80. I disabled that temporarily and it worked right away. The cert is only valid for 3 months. Do you know if this will auto renew via the cert manager in FreePBX, or is it a manual process?

Thanks!

JaredBusch

@fuznutz04 said in FreePBX, SelfSigned Certs, & Let's Encrypt:

Bingo. Just as I was reading your reply, I remembered that I had previously setup a .htaccess redirect to auto redirect 80 to 443 just to ensure that nobody tries to manage the box thorugh port 80. I disabled that temporarily and it worked right away. The cert is only valid for 3 months. Do you know if this will auto renew via the cert manager in FreePBX, or is it a manual process?

Thanks!

I have not used the FreePBX cert manager yet, so I have no idea if it handles the renew or not.

travisdh1

@fuznutz04 said in FreePBX, SelfSigned Certs, & Let's Encrypt:

Bingo. Just as I was reading your reply, I remembered that I had previously setup a .htaccess redirect to auto redirect 80 to 443 just to ensure that nobody tries to manage the box thorugh port 80. I disabled that temporarily and it worked right away. The cert is only valid for 3 months. Do you know if this will auto renew via the cert manager in FreePBX, or is it a manual process?

Thanks!

You can automate it, but you need to do some work to make it happen. Looks like the new certbot-auto makes it way easier. In your case I'd do a small script to open port 80, do the renewal, and reapply the security settings. The renewal is REALLY easy now, this is the crontab entry I'm using for it.

@weekly /path/certbot-auto renew -q

JaredBusch

@travisdh1 said in FreePBX, SelfSigned Certs, & Let's Encrypt:

@fuznutz04 said in FreePBX, SelfSigned Certs, & Let's Encrypt:

Bingo. Just as I was reading your reply, I remembered that I had previously setup a .htaccess redirect to auto redirect 80 to 443 just to ensure that nobody tries to manage the box thorugh port 80. I disabled that temporarily and it worked right away. The cert is only valid for 3 months. Do you know if this will auto renew via the cert manager in FreePBX, or is it a manual process?

Thanks!

You can automate it, but you need to do some work to make it happen. Looks like the new certbot-auto makes it way easier. In your case I'd do a small script to open port 80, do the renewal, and reapply the security settings. The renewal is REALLY easy now, this is the crontab entry I'm using for it.

@weekly /path/certbot-auto renew -q

Actually, now that he has a valid certificate, he should not need to open port 80.

travisdh1

@JaredBusch said in FreePBX, SelfSigned Certs, & Let's Encrypt:

@travisdh1 said in FreePBX, SelfSigned Certs, & Let's Encrypt:

@fuznutz04 said in FreePBX, SelfSigned Certs, & Let's Encrypt:

Bingo. Just as I was reading your reply, I remembered that I had previously setup a .htaccess redirect to auto redirect 80 to 443 just to ensure that nobody tries to manage the box thorugh port 80. I disabled that temporarily and it worked right away. The cert is only valid for 3 months. Do you know if this will auto renew via the cert manager in FreePBX, or is it a manual process?

Thanks!

You can automate it, but you need to do some work to make it happen. Looks like the new certbot-auto makes it way easier. In your case I'd do a small script to open port 80, do the renewal, and reapply the security settings. The renewal is REALLY easy now, this is the crontab entry I'm using for it.

@weekly /path/certbot-auto renew -q

Actually, now that he has a valid certificate, he should not need to open port 80.

Nice, just drop that into cron and call it a day then.

Dashrender

@JaredBusch said in FreePBX, SelfSigned Certs, & Let's Encrypt:

@travisdh1 said in FreePBX, SelfSigned Certs, & Let's Encrypt:

@fuznutz04 said in FreePBX, SelfSigned Certs, & Let's Encrypt:

Bingo. Just as I was reading your reply, I remembered that I had previously setup a .htaccess redirect to auto redirect 80 to 443 just to ensure that nobody tries to manage the box thorugh port 80. I disabled that temporarily and it worked right away. The cert is only valid for 3 months. Do you know if this will auto renew via the cert manager in FreePBX, or is it a manual process?

Thanks!

You can automate it, but you need to do some work to make it happen. Looks like the new certbot-auto makes it way easier. In your case I'd do a small script to open port 80, do the renewal, and reapply the security settings. The renewal is REALLY easy now, this is the crontab entry I'm using for it.

@weekly /path/certbot-auto renew -q

Actually, now that he has a valid certificate, he should not need to open port 80.

not even for renew? that will be nice.

JaredBusch

@Dashrender said in FreePBX, SelfSigned Certs, & Let's Encrypt:

@JaredBusch said in FreePBX, SelfSigned Certs, & Let's Encrypt:

@travisdh1 said in FreePBX, SelfSigned Certs, & Let's Encrypt:

@fuznutz04 said in FreePBX, SelfSigned Certs, & Let's Encrypt:

Bingo. Just as I was reading your reply, I remembered that I had previously setup a .htaccess redirect to auto redirect 80 to 443 just to ensure that nobody tries to manage the box thorugh port 80. I disabled that temporarily and it worked right away. The cert is only valid for 3 months. Do you know if this will auto renew via the cert manager in FreePBX, or is it a manual process?

Thanks!

You can automate it, but you need to do some work to make it happen. Looks like the new certbot-auto makes it way easier. In your case I'd do a small script to open port 80, do the renewal, and reapply the security settings. The renewal is REALLY easy now, this is the crontab entry I'm using for it.

@weekly /path/certbot-auto renew -q

Actually, now that he has a valid certificate, he should not need to open port 80.

not even for renew? that will be nice.

It should renew on HTTPS as long as the HTTPS is currently valid.

AdamF

@travisdh1 said in FreePBX, SelfSigned Certs, & Let's Encrypt:

@fuznutz04 said in FreePBX, SelfSigned Certs, & Let's Encrypt:

Bingo. Just as I was reading your reply, I remembered that I had previously setup a .htaccess redirect to auto redirect 80 to 443 just to ensure that nobody tries to manage the box thorugh port 80. I disabled that temporarily and it worked right away. The cert is only valid for 3 months. Do you know if this will auto renew via the cert manager in FreePBX, or is it a manual process?

Thanks!

You can automate it, but you need to do some work to make it happen. Looks like the new certbot-auto makes it way easier. In your case I'd do a small script to open port 80, do the renewal, and reapply the security settings. The renewal is REALLY easy now, this is the crontab entry I'm using for it.

@weekly /path/certbot-auto renew -q

Nice. I'll give that a shot. I also temporarily added the outbound1.letsencrypt.org, outbound2.letsencrypt.org, mirror1.freepbx.org, mirror2.freepbx.org domains to the trusted zone in the responsive firewall. Then removed them afterwards since these are needed to get the cert. I guess I could also just write some firewall rules instead. Is anyone else doing this?

JaredBusch

@fuznutz04 said in FreePBX, SelfSigned Certs, & Let's Encrypt:

@travisdh1 said in FreePBX, SelfSigned Certs, & Let's Encrypt:

@fuznutz04 said in FreePBX, SelfSigned Certs, & Let's Encrypt:

Bingo. Just as I was reading your reply, I remembered that I had previously setup a .htaccess redirect to auto redirect 80 to 443 just to ensure that nobody tries to manage the box thorugh port 80. I disabled that temporarily and it worked right away. The cert is only valid for 3 months. Do you know if this will auto renew via the cert manager in FreePBX, or is it a manual process?

Thanks!

You can automate it, but you need to do some work to make it happen. Looks like the new certbot-auto makes it way easier. In your case I'd do a small script to open port 80, do the renewal, and reapply the security settings. The renewal is REALLY easy now, this is the crontab entry I'm using for it.

@weekly /path/certbot-auto renew -q

Nice. I'll give that a shot. I also temporarily added the outbound1.letsencrypt.org, outbound2.letsencrypt.org, mirror1.freepbx.org, mirror2.freepbx.org domains to the trusted zone in the responsive firewall. Then removed them afterwards since these are needed to get the cert. I guess I could also just write some firewall rules instead. Is anyone else doing this?

Why do you want your PBX open to the public internet? Do your users actually use the UCP?

Alex Sage

@JaredBusch said in FreePBX, SelfSigned Certs, & Let's Encrypt:

Why do you want your PBX open to the public internet? Do your users actually use the UCP?

They are using a VPS

http://mangolassi.it/topic/8675/freepbx-on-vps

AdamF

@JaredBusch said in FreePBX, SelfSigned Certs, & Let's Encrypt:

@fuznutz04 said in FreePBX, SelfSigned Certs, & Let's Encrypt:

@travisdh1 said in FreePBX, SelfSigned Certs, & Let's Encrypt:

@fuznutz04 said in FreePBX, SelfSigned Certs, & Let's Encrypt:

Bingo. Just as I was reading your reply, I remembered that I had previously setup a .htaccess redirect to auto redirect 80 to 443 just to ensure that nobody tries to manage the box thorugh port 80. I disabled that temporarily and it worked right away. The cert is only valid for 3 months. Do you know if this will auto renew via the cert manager in FreePBX, or is it a manual process?

Thanks!

You can automate it, but you need to do some work to make it happen. Looks like the new certbot-auto makes it way easier. In your case I'd do a small script to open port 80, do the renewal, and reapply the security settings. The renewal is REALLY easy now, this is the crontab entry I'm using for it.

@weekly /path/certbot-auto renew -q

Nice. I'll give that a shot. I also temporarily added the outbound1.letsencrypt.org, outbound2.letsencrypt.org, mirror1.freepbx.org, mirror2.freepbx.org domains to the trusted zone in the responsive firewall. Then removed them afterwards since these are needed to get the cert. I guess I could also just write some firewall rules instead. Is anyone else doing this?

Why do you want your PBX open to the public internet? Do your users actually use the UCP?

No, they don't. We need to have it open as it is hosted elsewhere.

JaredBusch

@fuznutz04 said in FreePBX, SelfSigned Certs, & Let's Encrypt:

@JaredBusch said in FreePBX, SelfSigned Certs, & Let's Encrypt:

@fuznutz04 said in FreePBX, SelfSigned Certs, & Let's Encrypt:

@travisdh1 said in FreePBX, SelfSigned Certs, & Let's Encrypt:

@fuznutz04 said in FreePBX, SelfSigned Certs, & Let's Encrypt:

Bingo. Just as I was reading your reply, I remembered that I had previously setup a .htaccess redirect to auto redirect 80 to 443 just to ensure that nobody tries to manage the box thorugh port 80. I disabled that temporarily and it worked right away. The cert is only valid for 3 months. Do you know if this will auto renew via the cert manager in FreePBX, or is it a manual process?

Thanks!

You can automate it, but you need to do some work to make it happen. Looks like the new certbot-auto makes it way easier. In your case I'd do a small script to open port 80, do the renewal, and reapply the security settings. The renewal is REALLY easy now, this is the crontab entry I'm using for it.

@weekly /path/certbot-auto renew -q

Nice. I'll give that a shot. I also temporarily added the outbound1.letsencrypt.org, outbound2.letsencrypt.org, mirror1.freepbx.org, mirror2.freepbx.org domains to the trusted zone in the responsive firewall. Then removed them afterwards since these are needed to get the cert. I guess I could also just write some firewall rules instead. Is anyone else doing this?

Why do you want your PBX open to the public internet? Do your users actually use the UCP?

No, they don't. We need to have it open as it is hosted elsewhere.

Did not recall your prior topic as @aaronstuder pointed out for me. Perfectly valid reason.

JaredBusch

Circling back on this. FreePBX now includes Let's Encrypt in the Certificate Manager module.

AdamF

@JaredBusch said in FreePBX, SelfSigned Certs, & Let's Encrypt:

Circling back on this. FreePBX now includes Let's Encrypt in the Certificate Manager module.

Right, and automatically attempts to renews the let's encrypt certs a few weeks before expiration. No need to write a job yourself!

Dashrender

@JaredBusch said in FreePBX, SelfSigned Certs, & Let's Encrypt:

Circling back on this. FreePBX now includes Let's Encrypt in the Certificate Manager module.

@fuznutz04 said in FreePBX, SelfSigned Certs, & Let's Encrypt:

@JaredBusch said in FreePBX, SelfSigned Certs, & Let's Encrypt:

Circling back on this. FreePBX now includes Let's Encrypt in the Certificate Manager module.

Right, and automatically attempts to renews the let's encrypt certs a few weeks before expiration. No need to write a job yourself!

Way to Let's Encrypt and FreePBX!!

scottalanmiller

Yeah, that's a really awesome feature.