SOLVED Cerbot / Let's Encrypt install problem

Joined
Sep 29, 2014
Messages
259
Reaction score
13
Hello:
Yesterday I followed this tutorial http://nerdvittles.com/?p=23520 - "
VoIP Security: Installing SSL Certificates with Incredible PBX
"
It seemed to work fine in that when I browsed to my Cloud At Cost CentOS 6.9 Incredible PBX/FAX 13-13.3 it showed as secure HTTPS.

Today, it does not. Today, it shows as "NOT SECURE" https://64.nnn.nnn.nnn/admin/config.php# with a line through the https://.

I ran the certbot-auto script but still get "NOT SECURE".

Does anyone have any suggestions as to how to correct this problem?

Thanks,
Rob.
 

billsimon

Well-Known Member
Joined
Jan 2, 2011
Messages
1,534
Reaction score
727
You have to connect by host name, not IP address. HTTPS to an IP address will never validate.
 

Jose Pinto

Member
Joined
Oct 26, 2017
Messages
148
Reaction score
20
Hi
As I'm a newbee in this matter I would like to ask a question. I also have a Cloudatcost server and in it I have Enchilada instaled. Cloudatcost has rDNS and i made a rDNS to my server, the case is I'm not able to get in the server using the rDNS. This suppose to happen or not?
TIA
 

billsimon

Well-Known Member
Joined
Jan 2, 2011
Messages
1,534
Reaction score
727
Hi
As I'm a newbee in this matter I would like to ask a question. I also have a Cloudatcost server and in it I have Enchilada instaled. Cloudatcost has rDNS and i made a rDNS to my server, the case is I'm not able to get in the server using the rDNS. This suppose to happen or not?
TIA

"Reverse DNS" allows you to look up the name by IP. You need (forward) DNS to look up the IP by name. Use your registrar's DNS service for simplicity.
 

Jose Pinto

Member
Joined
Oct 26, 2017
Messages
148
Reaction score
20
Hi @billsimon
First of all thank you very much for your time attention and help
I already did what you said and my FQDN is working and I get the SSL Certificate, the only problem that I have now is to generate the Encrypted Certificate in Incredible, I'm getting error when I tryed to generate it.

This is the error:
There was an error updating the certificate: Error 'Requested 'http://xxxxxx.dlinkddns.com//.freepbx-known/7ee0d145f6bf4f7e401cd9e813a3d43f' - couldn't connect to host' when requesting http://xxxxx.dlinkddns.com//.freepbx-known/7ee0d145f6bf4f7e401cd9e813a3d43f
 
Last edited:

Jose Pinto

Member
Joined
Oct 26, 2017
Messages
148
Reaction score
20
I had problems installing Let's Encrypt Certicate. I was using Centos 6.9 - Incredible PBX 13-13 with Enchilda.
My problems start during the instalation (some changes happens ) using the post http://nerdvittles.com/?p=23520.
First I get message that the certifcate was not compatible with Pyton 2.6.
"CentOS 6.x runs python 2.6.6 but letsencrypt client requires python 2.7 https://github.com/letsencrypt/letsencrypt/issues/1106"
I had problems with the EPEL and this I do not know why. I will post here some of what I saw.

I do not know what did this but my EPEl is disable and I can this when I ask to do this - yum list python34 and I get an error : No matching Packages to list.
Second is this : root@hddlab ~]# ./certbot-auto --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
No names were found in your configuration files. Please enter in your domain
name(s) (comma and/or space separated) (Enter ‘c’ to cancel): hddlab.com.br
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for hddlab.com.br
Cleaning up challenges
Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80.

I start to ask help at community.letsencrypt.org (02/05/2018) and this is what I can say to do not have problem it will be better work with Centos 7.
Anyway if someone here has something that can help it will be very nice.
 
Last edited:

Jose Pinto

Member
Joined
Oct 26, 2017
Messages
148
Reaction score
20
Hi
I have a lot of informations about the Let's Encrypt and Certbot Certificate, but seams that noone here has interest.
 

dicko

Still learning but earning
Joined
Oct 30, 2015
Messages
1,607
Reaction score
826
From your post

. . .Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. . .

So either your firewall is blocking http connections on port 80 or your http server is not running/not listening on port 80.
 

Jose Pinto

Member
Joined
Oct 26, 2017
Messages
148
Reaction score
20
Hi @dicko thanks you very mcuh for your attention and answer.
As I say in my post I have a lot of information about what happens since I start with Wardy post for get the Let's Encrypt Certicate. I had a lot of problems and I do not know why.
From the beginning: I have a Cloud Server with Centos .69 / Incredible 13-13 with Enchilada, tested and working like a charm( thanks @wardmundy ) but I have a lot of probelms to get the certificate, because they made a lot of changes at Let's Encrypt and Certbot, many things that works when the post was wrote now does not work, anyway I was able to solve all the issues with help from @bmw and @schoen both Engineer from Certbot EFF and also I aready have the certicate as can be seeing here: https://crt.sh/?id=325545522. and at the same time I haven't because it does not work with Incredible (in my case, of course), and all starts when I tryed (after get the certificate using SSH) to get in https://hddlab.com.br, and I only was able to get in after I did the exception in Firefox, but I'm not able to get it using Certman also I get the new version of it.
I'm trying to get help (now) at Freepbx Community, and I also get my first answer there from @tm1000 (that you know who is him). Let's see if they can help.
 

dicko

Still learning but earning
Joined
Oct 30, 2015
Messages
1,607
Reaction score
826
nmap -vv 45.62.247.118

Starting Nmap 7.01 ( https://nmap.org ) at 2018-02-09 11:00 PST
Initiating Ping Scan at 11:00
Scanning 45.62.247.118 [4 ports]
Completed Ping Scan at 11:00, 0.24s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 11:00
Completed Parallel DNS resolution of 1 host. at 11:00, 0.10s elapsed
Initiating SYN Stealth Scan at 11:00
Scanning hddlab (45.62.247.118) [1000 ports]
Completed SYN Stealth Scan at 11:00, 13.02s elapsed (1000 total ports)
Nmap scan report for hddlab (45.62.247.118)
Host is up, received reset ttl 48 (0.079s latency).
Scanned at 2018-02-09 11:00:09 PST for 13s
Not shown: 995 filtered ports
Reason: 995 no-responses
PORT STATE SERVICE REASON
113/tcp closed ident reset ttl 48
1723/tcp closed pptp reset ttl 48
2000/tcp closed cisco-sccp reset ttl 48
4445/tcp closed upnotifyp reset ttl 48
8000/tcp closed http-alt reset ttl 48

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 13.52 seconds
Raw packets sent: 3003 (132.076KB) | Rcvd: 14 (560B)

So you don't need an exception for Firefox as you suggest, you need an exception on your firewall for whatever ip you are connecting from and port 443 (when the cert is successfully installed), if you do the command line version of certbot-auto --help you will see all your options, if you are successful with the apache connection (it will normally auto detect your webserver (apache or nginx) if running) , and it will offer to patch your httpd/apache2 configs to redirect http(80) to https(443) if needed , if successful you will see a secure connection (green) and no request to allow. Again from your post in the "other" forum, you will need apache/httpd accepting connections on 80 ( not 8000) to do the auto thing then you wont need your virtual server (which certbot can do with certonly --standalone argument ) and it really will be auto , when you renew "cerbot-auto renew" bear that requirement in mind.
 
Last edited:

Jose Pinto

Member
Joined
Oct 26, 2017
Messages
148
Reaction score
20
@dicko Thank you very much for your time and help.
i would like to tell you that at Certbot comunity has a lot persons with same probelm than me, and as I sayed before @bmw and also @schoen both from Certbot comunity ask me to see if I could find the problem.
I will do what you say - thanks again - now and I will write here what happens.
 

dicko

Still learning but earning
Joined
Oct 30, 2015
Messages
1,607
Reaction score
826
If you are in charge of your dns server

https://certbot.eff.org/faq/#what-i...encrypt-servers-use-to-validate-my-web-server

will help you use a port other than 80

if you use the certbot-auto certonly --standalone, you will need to need to patch your /etc/apache2(httpd) files so they know where to find your certificates after install, then your FreePBX site will be certified (truly the hard way, but that was your choice ;-) ) you only need to do that once.

If necessary you might need to edit your cronjob to "turn firewall off;certbot whatever;turn firewall on"
 
Last edited:

Jose Pinto

Member
Joined
Oct 26, 2017
Messages
148
Reaction score
20
@dicko Thanks again
I just (I need to learn, since I'm a newbee in this matter) try the option # ./certbot-auto --test-cert and I get this:

1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Failed redirect for hddlab.com.br
Unable to set enhancement redirect for hddlab.com.br
Unable to find corresponding HTTP vhost; Unable to create one as intended addresses conflict; Current configuration does not support automated redirection

IMPORTANT NOTES:
- We were unable to set up enhancement redirect for your server,
however, we successfully installed your certificate.
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/hddlab.com.br/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/hddlab.com.br/privkey.pem
Your cert will expire on 2018-05-09. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again with the "certonly" option. To non-interactively renew *all*
of your certificates, run "certbot-auto renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
 

dicko

Still learning but earning
Joined
Oct 30, 2015
Messages
1,607
Reaction score
826
Yep, thats all your choice of firewalling and http redirection, but never fear , your certs are as it says in

/etc/letsencrypt/live/hddlab.com.br/

you need to add that to your webservers ssl config file (the one that you have setup to handle VirtualHost *:443) , the lines should look much like

SSLCertificateFile /etc/letsencrypt/live/hddlab.com.br/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/hddlab.com.br/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/hddlab.com.br/chain.pem

but I suspect you are using centos not debian as I do, so you will have to "help yourself" from here
 

dicko

Still learning but earning
Joined
Oct 30, 2015
Messages
1,607
Reaction score
826
Be careful with what "the other forum" suggested, any other service like hylafax/avantfax/fop2 might object to you doing that in the FreePBX GUI, the certs all belong in your webroot definition not anything above :) (if you use fop2 then you need to also manually add the cert locations to it's server config)
 

Jose Pinto

Member
Joined
Oct 26, 2017
Messages
148
Reaction score
20
Hi @dicko
Thanks again
And yes I'm using Centos 6.9 and after all changes that they CertBot did in last january many things that works when wardmundy did the post does not work today.
I will not follow the other Forum, as they has a Freepbx in mind and I'm using Incredible PBX 13-13.
Thanks again
 

dicko

Still learning but earning
Joined
Oct 30, 2015
Messages
1,607
Reaction score
826
I'm not sure where Ward said to redirect your server to listen on 8000, please show me. . . until you set up an https virtual server on 443, and allow when necessary http on 80 for certbot/letsencrypt or otherwise arrange for your DNS server to provide an alternate port, you will continue to flap in the wind.

FreePBX and Incredible PBX 13-1 are essentially the same code , Incredible just ensures that you only use the open source parts of it and effectively disables some so called "security issues" that are essentially just a bait and switch for you to not ever try to modify anything in that open source code ( huh!!!)

I see you can't let this "other forum" thing go, Please, please please save yourself pain and suffering, don't add your certs to freepbx, do it at the root of your webserver or be subservient forever to something that wants to control you and your other services.
 
Last edited:

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
If you're using Incredible PBX, certs are a big waste of time. The only person(s) that can gain access to HTTP and HTTPS on your server are people whose IP addresses have been whitelisted in the firewall. Never open your web server to public access if you're relying upon the FreePBX GPL codebase for web access. It has a terrible history of vulnerabilities and certs/HTTPS won't protect you at all.
 

Jose Pinto

Member
Joined
Oct 26, 2017
Messages
148
Reaction score
20
@dicko I will not open my server to certs or anyother, if I will not be able to fix what is happens, believe me I will buy a certficate, or I will try , as people at CertBot say, change the centos from 6.9 to 7.
About your question I really do not know why the server change any adress as the only thing that I did was follow the post that @wardmundy wrote and the only thing different that I made was try to reinstall te Epel and the other thing that I did was add the virtual port 80, and nothing else. the 8000 adress that you see I really did not know what can happen..

@wardmundy Thank you very much for your attention time and answer.
As I already wrote here in Forum I'm here to learn I really need need. The objective of the certificate SSL / Https was not for others persons, since I'm just testing possibilities.
I have a 800 webrtc service that I will need to use with a PBX - just to test - and this service will require that the PBX has SSL. Another thing that I would like to do is the Facebook SMS Project that you wrote and this also requires a SSL / Https. So this is why I start with Cert. As I sayed to @dicko if I will need to work with this for business / production I will buy a certifcate. But today is just for me since I'm learnning and trying to see the possibilities, nothing professional.
 

Members online

No members online now.

Forum statistics

Threads
25,782
Messages
167,509
Members
19,203
Latest member
frapu
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Top