FOOD FOR THOUGHT Let's Encrypt free SSL for PiaF

big charlie

Active Member
Joined
Aug 20, 2013
Messages
115
Reaction score
30
Has anyone used Let's Encrypt for the GUI?

It's not really a big deal to have an signed cert, but seems like it might be a nice touch that would be easily integrated. It's automated, open, and free. There are lots of people here that are fans of those three words

https://letsencrypt.org/
 

hecatae

resident hecatae
Joined
Feb 7, 2014
Messages
760
Reaction score
199
@Charles Steiner , I'm sure the PIAF and IncrediblePBX development team recommend:

RULE #1: DON’T BUILD SERVERS EXPOSED TO THE INTERNET WITHOUT ROCK-SOLID SECURITY!


apart from adding https to a server, how would this benefit a system which is never meant to have it's gui exposed on the public internet?
 

big charlie

Active Member
Joined
Aug 20, 2013
Messages
115
Reaction score
30
That's pretty much it. It just popped into my head while reading some posts that mentioned SSL. If you have multiple people using the GUI, it would make for better UX than saying to accept an unsigned cert.

And it also seems that people around here tend to tinker for the sake of tinkering and Let Encrypt is a pretty neat project, IMHO.

I do have my GUI exposed, meaning I use whitelist listed VPNs to access.
 

chris_c_

Active Member
Joined
Aug 19, 2010
Messages
509
Reaction score
67
That's pretty much it. It just popped into my head while reading some posts that mentioned SSL. If you have multiple people using the GUI, it would make for better UX than saying to accept an unsigned cert.

And it also seems that people around here tend to tinker for the sake of tinkering and Let Encrypt is a pretty neat project, IMHO.

I do have my GUI exposed, meaning I use whitelist listed VPNs to access.

I've already suggested this to the FreePBX feature request and it's going to be included.

The benefit of LetsEncrypt for PIAF is huge! We get FREE, browser-RECOGNIZED, and SIP softphone recognized, TLS CERTS for use with SIPS (secure SIP signaling) and SRTP (secure RTP audio) protocols.

This means, your users can open up their Zoiper, Csipsimple, or whatever SIP softphone app on your android or ios device, in a coffee shop in a hacker-infested third world country, possibly with a hacker there logging all your packets as the packets pass through their wifi router, for future financial fraud crimes to steal your money, and you'll be safe because your packets are encrypted with strong elliptical curve diffie hellman TLS. Very nice.
 

smarks

Guru
Joined
Jan 7, 2015
Messages
116
Reaction score
26
There are scripts which take care of all of this. Don't think of LetsEncrypt like old school paid certificates. Think of it as more a weekly or monthy cron job. My cerficate renewal scripts get run on a monthly cron job
 

hecatae

resident hecatae
Joined
Feb 7, 2014
Messages
760
Reaction score
199
Worth a read:

https://www.digitalocean.com/commun...cure-nginx-with-let-s-encrypt-on-ubuntu-14-04

The Standalone plugin provides a very simple way to obtain SSL certificates. It works by temporarily running a small web server, on port 80, on your server, to which the Let's Encrypt CA can connect and validate your server's identity before issuing a certificate. As such, this method requires that port 80 is not in use.

Plus:

Let’s Encrypt certificates are valid for 90 days, but it’s recommended that you renew the certificates every 60 days to allow a margin of error. At the time of this writing, automatic renewal is still not available as a feature of the client itself, but you can manually renew your certificates by running the Let’s Encrypt client again.

A practical way to ensure your certificates won’t get outdated is to create a cron job that will automatically handle the renewal process for you. In order to avoid the interactive, menu-driven process that we used earlier, we will use different parameters when calling the Let’s Encrypt client in the cron job.

We will use Webroot plugin, instead of the Standalone plugin used earlier, because it allows your server to validate your domain without stopping your web server. The Webroot plugin adds a hidden file to your web server's document root, which the Let's Encrypt CA can read to verify your domain.

There is a couple of important points there, one, you need to enable port 80 on the public internet to install, and then every time you renew you have to allow Let's Encrypt CA access to your server.

Has anyone got the details of where the Let's Encrypt service talks to when it tries to renew it's certificate?

If we can find out where it talks to then a rule could be added to Incrediblepbx tables by yourself.
 

Porch

Guru
Joined
Jul 5, 2013
Messages
135
Reaction score
15
Anyone get Let's Encrypt SSL certs to work with Asterisk? Asterisk seems to want some strange combination of certs and I have not had any luck yet.
 

billsimon

Well-Known Member
Joined
Jan 2, 2011
Messages
1,534
Reaction score
727
Anyone get Let's Encrypt SSL certs to work with Asterisk? Asterisk seems to want some strange combination of certs and I have not had any luck yet.

Yes, I am using it for wss (secure webrtc) and DTLS which are required for the webrtc phone in UCP to work securely in Chrome.

The format required for the wss part: have a PEM file for the private key and another PEM file that concatenates the host certificate (the one issued to you) with the intermediate, in that order. These are then specified in Advanced Settings - Mini-HTTP Server settings in the HTTPS Private Key Location and the Certificate Location fields, respectively.

For the DTLS part: one PEM file that starts with the private key, then the host certificate, then the intermediate. That certificate is specified in the Admin - Certificate Manager section.

(Do not include the root cert.)
 
Last edited:

Members online

No members online now.

Forum statistics

Threads
25,778
Messages
167,504
Members
19,198
Latest member
serhii
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Top