1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SOLVED Cerbot / Let's Encrypt install problem

Discussion in 'Open Discussion' started by Robert.Thompson, Dec 24, 2017.

Tags:
  1. dicko

    dicko Still learning but earning

    Joined:
    Oct 30, 2015
    Messages:
    461
    Likes Received:
    164
    . . The only person(s) that can gain access to HTTP and HTTPS on your server are people whose IP addresses have been whitelisted in the firewall. . .

    Even if you can ensure that everyone,everywhere is whitelisted, vpn's are a pain, port knocking is a pain, roaming cell connections are a pain, and even when covered they still get, quite reasonably, pissed of with all those "!!!!! no certificates, no security here !!! " warnings, at least mine do, it is NOT hard to certbot and can only help your security as there is a lot of shit going over the webservice that is better encrypted on any network. In my world complacency will sooner or later cost you something in either dollars,time or reputation.

    JM2CWAE
     
  2. dicko

    dicko Still learning but earning

    Joined:
    Oct 30, 2015
    Messages:
    461
    Likes Received:
    164

    Even if you buy a certificate, you still need to set up an https server with certificates, that bit doesn't change, your choice and your Reals , sorry that i couldn't help
     
  3. Jose Pinto

    Jose Pinto Member

    Joined:
    Oct 26, 2017
    Messages:
    144
    Likes Received:
    19
    @dicko thank you very much. You already help me, also @wardmundy. There is things that we can do and others that we can't.
    Ok I just need one advice, as I would like to try the Webrtc, and with Incredible is danger because to work I will need to open and this I will not do, what I can do? Also if I think in do the Fascebook project and it also will need SSL what is my better choice? for this ? Wazo? Issabel?
    Thanks guys
     
  4. dicko

    dicko Still learning but earning

    Joined:
    Oct 30, 2015
    Messages:
    461
    Likes Received:
    164
    Heads up, webrtc can ONLY work with a valid ssl certificate using almost any browser, it's a security thing. It really doesn't matter which voip server wazo,isabel,freepbx you use, they have nothing to do with the webrtc connection that is just your webserver and its ability to accept ssl connections and effectively reply with an acceptable authority/certificate, then you will need a webrtc-asterisk connector.
     
    #24 dicko, Feb 9, 2018
    Last edited: Feb 9, 2018
  5. Jose Pinto

    Jose Pinto Member

    Joined:
    Oct 26, 2017
    Messages:
    144
    Likes Received:
    19
    to @dicko Let me design my 0800 project here and you will see that I do not need to open my server to public, also maybe I will be able to help others.
    My 0800 service is based in Doubango Project, so I just rent a website with SSL and in it I wrote the 0800 service, after this I will have a link that I can put in a webpage and with an icon to call this link. The 0800 service has a Voip like Ekiga or Sip2Sip and this is what will receive the call. So the person get in my website and press the Icon this will do a call that I will see in my softphone and we can talk.
    Now what I would like to do when I think in PBX is: the Ekiga or SIp2sip I would like to put in my PBX and I will link it to a extension with doing than I can have all featrures that an extension can give me, so nobody will have acess to the server only me because I will receive the call. This is my project.

    About the Facebook Project is same, I would like to do it to me and only me will have the access.
    Anyway thank you very much for your time and help.

    Ps: @wardmundy In all my Projects I do not have to open the server to public, I think that this kind of need is for people that do the project and than rent it.
     
  6. dicko

    dicko Still learning but earning

    Joined:
    Oct 30, 2015
    Messages:
    461
    Likes Received:
    164
    There is click2call directly available already in the doubango project why complicate things unnecessarily ? Just set the "sip address" in the .conf file to your asterisk server and setup a trunk for it, if you want to use webrtc then

    https://wiki.asterisk.org/wiki/display/AST/WebRTC+tutorial+using+SIPML5

    You will not be able to use a self certified certificate in most modern browsers though ( back to Reals or certbot there :) )

    freepbx has also

    https://wiki.freepbx.org/display/FPG/WebRTC+Phone-UCP

    You can use the Doubango software to proxy the calls into udp

    After you get all that working, send all inbound calls from that trunk to your cellphone. Add zoiper to your phone, you wont need any other trunks, both very secure and very cost effective. Maybe you can also get rid of freepbx completely, or at least not start it if you are really security conscious (then don't use 5060 either)

    Even more minimalist, just add siproxd to your cloud server and add that connection to your zoiper directly.
     
    #26 dicko, Feb 10, 2018
    Last edited: Feb 10, 2018
    wardmundy likes this.
  7. Jose Pinto

    Jose Pinto Member

    Joined:
    Oct 26, 2017
    Messages:
    144
    Likes Received:
    19
    @dicko
    I made a mistake, I was thinking that to receive calls from the Dubango Click2call in my Pbx I need SSL, because webrtc only works with ssl. But this is not necessary I can receive call in a extension of my Incredible PBX using sisp2sip trunk. If you would like to see I will let here my 0800 web, sometimes I will be able to talk others you will have a message only.
    But if we want to use the Webrtc facility to call the PBX will need SSL/HTTPS and this will not need to do and open the PBX to public.
    Anyway thank you very much for all the informations that you give me I really need, since I'm in a leanning process.

    Just access this webpage and the page will call me does not need to press the green retangle.
    https://misterwww.000webhostapp.com/indexc2c.html#
     
    #27 Jose Pinto, Feb 13, 2018
    Last edited: Feb 13, 2018
  8. Jose Pinto

    Jose Pinto Member

    Joined:
    Oct 26, 2017
    Messages:
    144
    Likes Received:
    19
    Ok I understand.
    Anyway you wrote 2 projects - ( thank you very much for all your work) nd they need SSL/HTTPS so what I can do to use the projects that need SSL/HTTPS?
    1- I would like to use Webrtc in a Call Center

    2- I would like to do the Facebook Project

    What can I do for both projects? Imagine that I will use so I there is no need to open to public as only me will need to be at the iptables.
     
  9. dicko

    dicko Still learning but earning

    Joined:
    Oct 30, 2015
    Messages:
    461
    Likes Received:
    164
    There are many services that require sucure certificates, there will be more and more as time goes on, you have apparently generated one from lets-encrypt as per your earlier posts, it is up to you to allow make, TLS,https, wss, sercure email or whatever else to know where those certs, can be found, it doesn't matter whether you are the only one that will use those services, you will still need to use them if you want the services to work.
     
  10. Jose Pinto

    Jose Pinto Member

    Joined:
    Oct 26, 2017
    Messages:
    144
    Likes Received:
    19
    @dicko Thnak you very much for your attention time and answer.
    Ok I understand, what I mention is about the question - open or do not open the system to public - this question you and @wardmundy wrote, this is why I said that isn't necessary to open. As you can see in last post I just say that the certificate is necessary and what I asked is what can I do to solve.
     
  11. dicko

    dicko Still learning but earning

    Joined:
    Oct 30, 2015
    Messages:
    461
    Likes Received:
    164
    You will likely find them in

    /etc/letsencrypt/live/hddlab.com.br/*

    If nothing there then,

    if you refuse to allow connections on port 80 then you have a problem, if apache is not litsening on port 80 then please temporarily stop your firewall (at least allow port tcp:80)
    and runfrom bash ,as previously suggested :-

    certbot-auto certonly --standalone -d hddlab.com.br

    Then you will have accepable secure certs in the above directory, you will need to open port 80 and update the certificate at least every 89 days.
     
  12. Jose Pinto

    Jose Pinto Member

    Joined:
    Oct 26, 2017
    Messages:
    144
    Likes Received:
    19
    @dicko Thank you very much for your attention time and help, also thank to be so kind and patient. I will do what you say.
    Regards
     
  13. wardmundy

    wardmundy Nerd Uno

    Joined:
    Oct 12, 2007
    Messages:
    13,825
    Likes Received:
    2,293
    Here is a revised certificate install procedure using CertBot for CentOS 6.9 servers with Incredible PBX:
    Code:
    yum -y install python-devel python-pip python-setuptools python-virtualenv --enablerepo=epel
    yum -y install centos-release-scl
    yum -y install python27
    scl enable python27 bash
    pip -V # should show python 2.7
    pip install --upgrade pip
    pip install requests registry urllib3 pyOpenSSL --force --upgrade
    pip install certbot-apache --force --upgrade
    cd /root
    wget https://dl.eff.org/certbot-auto
    chmod a+x certbot-auto
    service iptables stop
    ./certbot-auto --authenticator webroot --installer apache -w /var/www/html -d your.FQDN.here
    iptables-restart
    exit
    
    And here is a certbot-update script to renew your certificate when the time comes:
    Code:
    #!/bin/bash
    
    echo "Before you begin, type: scl enable python27 bash"
    echo "Then rerun this update script and press ENTER."
    read -p "If you already have done so, press Enter. Otherwise, Ctrl-C now"
    service iptables stop
    ./certbot-auto --authenticator webroot --installer apache -w /var/www/html -d your.FQDN.here
    iptables-restart
    echo "Be sure to type exit again at the command prompt."
    exit
    
    Nerd Vittles tutorial has also been updated.
     
    #33 wardmundy, Feb 15, 2018 at 3:06 PM
    Last edited: Feb 15, 2018 at 3:17 PM
    Jose Pinto likes this.
  14. Jose Pinto

    Jose Pinto Member

    Joined:
    Oct 26, 2017
    Messages:
    144
    Likes Received:
    19
    @wardmundy , Thank you very much for your kindness, as always.
    I will do it and than I will telll you what hapens.
    Best Regards
     
  15. TirsoJRP

    TirsoJRP Member

    Joined:
    Jan 8, 2015
    Messages:
    72
    Likes Received:
    25
    I let pfsense / acme handle my certificates. Also, I am using alternative methods as my ISP blocks http:80 or https:443. The only thing missing is an script to copy the new certificate to IncrediblePBX automatically when it is renewed.

    I wasn't into WebRTC, but I just tried it after adding SSL to my RPi install and it is just awesome. The FreePBX 14 version is even better...

    [​IMG]
     
    #35 TirsoJRP, Feb 15, 2018 at 6:39 PM
    Last edited: Feb 15, 2018 at 6:52 PM
    wardmundy likes this.
  16. Jose Pinto

    Jose Pinto Member

    Joined:
    Oct 26, 2017
    Messages:
    144
    Likes Received:
    19
    @TirsoJRP Seams to me that you are using FreePbx not Incredible, M'I right? (are you from Brazil?)

    @wardmundy I tryed to use the new instructions to fix my certificate but is not possible, so I think that I will need to start from zero and see it. Thank you for your time and help.
     
  17. wardmundy

    wardmundy Nerd Uno

    Joined:
    Oct 12, 2007
    Messages:
    13,825
    Likes Received:
    2,293
    @Jose Pinto We tested the new procedure on 3 separate servers so your server setup was apparently damaged before you began the procedure.
     
  18. TirsoJRP

    TirsoJRP Member

    Joined:
    Jan 8, 2015
    Messages:
    72
    Likes Received:
    25
    :nono: and no.
     
    wardmundy likes this.
  19. Jose Pinto

    Jose Pinto Member

    Joined:
    Oct 26, 2017
    Messages:
    144
    Likes Received:
    19
    @wardmundy Yes you are 100% right, this why I wrote before that I will need to setup the server from the begenning.
    But it ok, it is just part of my learnning process. Thank you for your attention and help.

    @TirsoJRP Your name Tirso is very comum here in Brazil, this is why I asked. Ahh about the server I just asked you because the picture that you post, the logo in the top of it is a Frog and this is the symbol of FreebPBX, Incredible has other logo. Anyway is not of my concern. Thank you for answer me.
     
    #39 Jose Pinto, Feb 16, 2018 at 8:48 AM
    Last edited: Feb 17, 2018 at 6:06 AM
  20. wardmundy

    wardmundy Nerd Uno

    Joined:
    Oct 12, 2007
    Messages:
    13,825
    Likes Received:
    2,293
    Just an FYI that WebRTC connections will cause an Asterisk 13 crash on connection unless a STUN server is specified in Settings -> SIP Settings. It's a good idea to insert it in BOTH STUN Address fields if you plan to use Opus separately from WebRTC.

    List of free STUN servers is available here.
     

Share This Page