SOLVED Cerbot / Let's Encrypt install problem

[dicko]

. . The only person(s) that can gain access to HTTP and HTTPS on your server are people whose IP addresses have been whitelisted in the firewall. . .

Even if you can ensure that everyone,everywhere is whitelisted, vpn's are a pain, port knocking is a pain, roaming cell connections are a pain, and even when covered they still get, quite reasonably, pissed of with all those "!!!!! no certificates, no security here !!! " warnings, at least mine do, it is NOT hard to certbot and can only help your security as there is a lot of shit going over the webservice that is better encrypted on any network. In my world complacency will sooner or later cost you something in either dollars,time or reputation.

JM2CWAE

 

[dicko]

@dicko I will not open my server to certs or anyother, if I will not be able to fix what is happens, believe me I will buy a certficate, or I will try , as people at CertBot say, change the centos from 6.9 to 7.
About your question I really do not know why the server change any adress as the only thing that I did was follow the post that @wardmundy wrote and the only thing different that I made was try to reinstall te Epel and the other thing that I did was add the virtual port 80, and nothing else. the 8000 adress that you see I really did not know what can happen..

@wardmundy Thank you very much for your attention time and answer.
As I already wrote here in Forum I'm here to learn I really need need. The objective of the certificate SSL / Https was not for others persons, since I'm just testing possibilities.
I have a 800 webrtc service that I will need to use with a PBX - just to test - and this service will require that the PBX has SSL. Another thing that I would like to do is the Facebook SMS Project that you wrote and this also requires a SSL / Https. So this is why I start with Cert. As I sayed to @dicko if I will need to work with this for business / production I will buy a certifcate. But today is just for me since I'm learnning and trying to see the possibilities, nothing professional.

Even if you buy a certificate, you still need to set up an https server with certificates, that bit doesn't change, your choice and your Reals , sorry that i couldn't help

 

[Jose Pinto]

@dicko thank you very much. You already help me, also @wardmundy. There is things that we can do and others that we can't.
Ok I just need one advice, as I would like to try the Webrtc, and with Incredible is danger because to work I will need to open and this I will not do, what I can do? Also if I think in do the Fascebook project and it also will need SSL what is my better choice? for this ? Wazo? Issabel?
Thanks guys

 

[dicko]

Heads up, webrtc can ONLY work with a valid ssl certificate using almost any browser, it's a security thing. It really doesn't matter which voip server wazo,isabel,freepbx you use, they have nothing to do with the webrtc connection that is just your webserver and its ability to accept ssl connections and effectively reply with an acceptable authority/certificate, then you will need a webrtc-asterisk connector.

 

[Jose Pinto]

to @dicko Let me design my 0800 project here and you will see that I do not need to open my server to public, also maybe I will be able to help others.
My 0800 service is based in Doubango Project, so I just rent a website with SSL and in it I wrote the 0800 service, after this I will have a link that I can put in a webpage and with an icon to call this link. The 0800 service has a Voip like Ekiga or Sip2Sip and this is what will receive the call. So the person get in my website and press the Icon this will do a call that I will see in my softphone and we can talk.
Now what I would like to do when I think in PBX is: the Ekiga or SIp2sip I would like to put in my PBX and I will link it to a extension with doing than I can have all featrures that an extension can give me, so nobody will have acess to the server only me because I will receive the call. This is my project.

About the Facebook Project is same, I would like to do it to me and only me will have the access.
Anyway thank you very much for your time and help.

Ps: @wardmundy In all my Projects I do not have to open the server to public, I think that this kind of need is for people that do the project and than rent it.

 

[dicko]

There is click2call directly available already in the doubango project why complicate things unnecessarily ? Just set the "sip address" in the .conf file to your asterisk server and setup a trunk for it, if you want to use webrtc then

https://wiki.asterisk.org/wiki/display/AST/WebRTC+tutorial+using+SIPML5

You will not be able to use a self certified certificate in most modern browsers though ( back to Reals or certbot there )

freepbx has also

https://wiki.freepbx.org/display/FPG/WebRTC+Phone-UCP

You can use the Doubango software to proxy the calls into udp

After you get all that working, send all inbound calls from that trunk to your cellphone. Add zoiper to your phone, you wont need any other trunks, both very secure and very cost effective. Maybe you can also get rid of freepbx completely, or at least not start it if you are really security conscious (then don't use 5060 either)

Even more minimalist, just add siproxd to your cloud server and add that connection to your zoiper directly.

 

[Jose Pinto]

@dicko
I made a mistake, I was thinking that to receive calls from the Dubango Click2call in my Pbx I need SSL, because webrtc only works with ssl. But this is not necessary I can receive call in a extension of my Incredible PBX using sisp2sip trunk. If you would like to see I will let here my 0800 web, sometimes I will be able to talk others you will have a message only.
But if we want to use the Webrtc facility to call the PBX will need SSL/HTTPS and this will not need to do and open the PBX to public.
Anyway thank you very much for all the informations that you give me I really need, since I'm in a leanning process.

Just access this webpage and the page will call me does not need to press the green retangle.
https://misterwww.000webhostapp.com/indexc2c.html#

 

[Jose Pinto]

If you're using Incredible PBX, certs are a big waste of time. The only person(s) that can gain access to HTTP and HTTPS on your server are people whose IP addresses have been whitelisted in the firewall. Never open your web server to public access if you're relying upon the FreePBX GPL codebase for web access. It has a terrible history of vulnerabilities and certs/HTTPS won't protect you at all.

Ok I understand.
Anyway you wrote 2 projects - ( thank you very much for all your work) nd they need SSL/HTTPS so what I can do to use the projects that need SSL/HTTPS?
1- I would like to use Webrtc in a Call Center

2- I would like to do the Facebook Project

What can I do for both projects? Imagine that I will use so I there is no need to open to public as only me will need to be at the iptables.

 

[dicko]

There are many services that require sucure certificates, there will be more and more as time goes on, you have apparently generated one from lets-encrypt as per your earlier posts, it is up to you to allow make, TLS,https, wss, sercure email or whatever else to know where those certs, can be found, it doesn't matter whether you are the only one that will use those services, you will still need to use them if you want the services to work.

 

[Jose Pinto]

@dicko Thnak you very much for your attention time and answer.
Ok I understand, what I mention is about the question - open or do not open the system to public - this question you and @wardmundy wrote, this is why I said that isn't necessary to open. As you can see in last post I just say that the certificate is necessary and what I asked is what can I do to solve.

 

[dicko]

You will likely find them in

/etc/letsencrypt/live/hddlab.com.br/*

If nothing there then,

if you refuse to allow connections on port 80 then you have a problem, if apache is not litsening on port 80 then please temporarily stop your firewall (at least allow port tcp:80)
and runfrom bash ,as previously suggested :-

certbot-auto certonly --standalone -d hddlab.com.br

Then you will have accepable secure certs in the above directory, you will need to open port 80 and update the certificate at least every 89 days.

 

[Jose Pinto]

@dicko Thank you very much for your attention time and help, also thank to be so kind and patient. I will do what you say.
Regards

 

[wardmundy]

Here is a revised certificate install procedure using CertBot for CentOS 6.9 servers with Incredible PBX:

yum -y install python-devel python-pip python-setuptools python-virtualenv --enablerepo=epel
yum -y install centos-release-scl
yum -y install python27
scl enable python27 bash
pip -V # should show python 2.7
pip install --upgrade pip
pip install requests registry urllib3 pyOpenSSL --force --upgrade
pip install certbot-apache --force --upgrade
cd /root
wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto
service iptables stop
./certbot-auto --authenticator webroot --installer apache -w /var/www/html -d your.FQDN.here
iptables-restart
exit

And here is a certbot-update script to renew your certificate when the time comes:

#!/bin/bash

echo "Before you begin, type: scl enable python27 bash"
echo "Then rerun this update script and press ENTER."
read -p "If you already have done so, press Enter. Otherwise, Ctrl-C now"
service iptables stop
./certbot-auto --authenticator webroot --installer apache -w /var/www/html -d your.FQDN.here
iptables-restart
echo "Be sure to type exit again at the command prompt."
exit

Nerd Vittles tutorial has also been updated.

 

[Jose Pinto]

@wardmundy , Thank you very much for your kindness, as always.
I will do it and than I will telll you what hapens.
Best Regards

 

[TirsoJRP]

I let pfsense / acme handle my certificates. Also, I am using alternative methods as my ISP blocks http:80 or https:443. The only thing missing is an script to copy the new certificate to IncrediblePBX automatically when it is renewed.

I wasn't into WebRTC, but I just tried it after adding SSL to my RPi install and it is just awesome. The FreePBX 14 version is even better...

 

[Jose Pinto]

@TirsoJRP Seams to me that you are using FreePbx not Incredible, M'I right? (are you from Brazil?)

@wardmundy I tryed to use the new instructions to fix my certificate but is not possible, so I think that I will need to start from zero and see it. Thank you for your time and help.

 

[wardmundy]

@Jose Pinto We tested the new procedure on 3 separate servers so your server setup was apparently damaged before you began the procedure.

 

[TirsoJRP]

@TirsoJRP Seams to me that you are using FreePbx not Incredible, M'I right? (are you from Brazil?)

and no.

 

[Jose Pinto]

@wardmundy Yes you are 100% right, this why I wrote before that I will need to setup the server from the begenning.
But it ok, it is just part of my learnning process. Thank you for your attention and help.

@TirsoJRP Your name Tirso is very comum here in Brazil, this is why I asked. Ahh about the server I just asked you because the picture that you post, the logo in the top of it is a Frog and this is the symbol of FreebPBX, Incredible has other logo. Anyway is not of my concern. Thank you for answer me.

 

[wardmundy]

Just an FYI that WebRTC connections will cause an Asterisk 13 crash on connection unless a STUN server is specified in Settings -> SIP Settings. It's a good idea to insert it in BOTH STUN Address fields if you plan to use Opus separately from WebRTC.

List of free STUN servers is available here.