FOOD FOR THOUGHT Enable HTTPS with Let's Encrypt

unsichtbarre

Member
Joined
May 17, 2009
Messages
140
Reaction score
5
I'd like to use the Incredible PBX Administration and the embedded Certificate Management to enable Let's Encrypt Certificates so my admin and users can use HTTPS pages.

Does this work?

I have generated the Let's Encrypt Certificate and made it default - nut my server does not seem to be listening to 443 - even from my home PC which should be wide open. Telnet below:

C:\Windows\System32>telnet pbx1.mydomain.com 443
Connecting To pbx1.mydomain.com...Could not open connection to the host, on port 443: Connect failed.

Any ideas?
THX
 

billsimon

Well-Known Member
Joined
Jan 2, 2011
Messages
1,534
Reaction score
727
Management of apache web server is on your own. You will need to enable HTTPS and point it to the location of your certificate. FreePBX open-source does not have management of the web server built in to the GUI. FreePBX Distro with the Sysadmin Module (free but not open source) has it.
 

unsichtbarre

Member
Joined
May 17, 2009
Messages
140
Reaction score
5
I'd sure like to stick with Incredible on Ubuntu 18.04. Prefer Open Source.

Any tips on how to get started? Like where might I look for the Let's Encrypt certificate?
 

mainenotarynet

Not really a Guru - Just a long time user
Joined
May 29, 2010
Messages
754
Reaction score
155
/etc/letsencrypt/ - CentOS 6 but its a start to look on Ubuntu

Then in FreePBX, you want to Load manually. I tried LE in that CertMan and ended up buying a real one
 

billsimon

Well-Known Member
Joined
Jan 2, 2011
Messages
1,534
Reaction score
727
Any tips on how to get started? Like where might I look for the Let's Encrypt certificate?

If you use the FreePBX Certificate Manager to get your Letsencrypt cert and set it to default, then it will be added to /etc/asterisk/keys/integration/webserver.crt and /etc/asterisk/keys/integration/webserver.key.

It will also exist at /etc/asterisk/keys/YOURHOSTNAME-ca-bundle.crt, YOURHOSTNAME.crt, YOURHOSTNAME.key, and YOURHOSTNAME.pem.

There's also a copy at /etc/asterisk/keys/YOURHOSTNAMEdir/... I'm not really sure why it makes so many copies but you can pick one. :)

You can then enable https on your Ubuntu apache instance with `sudo a2enmod ssl` and `sudo a2ensite default-ssl`

Edit the config in /etc/apache2/sites-enabled/default-ssl.conf to point to the right files in /etc/asterisk/keys/...

`sudo systemctl restart apache2` to finish things up.
 

TirsoJRP

Member
Joined
Jan 8, 2015
Messages
99
Reaction score
32
I use pfsense as my cert manager, acme package to handle letsencrypt tasks and scripts to push new certs.
 

unsichtbarre

Member
Joined
May 17, 2009
Messages
140
Reaction score
5
If you use the FreePBX Certificate Manager to get your Letsencrypt cert and set it to default, then it will be added to /etc/asterisk/keys/integration/webserver.crt and /etc/asterisk/keys/integration/webserver.key.

It will also exist at /etc/asterisk/keys/YOURHOSTNAME-ca-bundle.crt, YOURHOSTNAME.crt, YOURHOSTNAME.key, and YOURHOSTNAME.pem.

There's also a copy at /etc/asterisk/keys/YOURHOSTNAMEdir/... I'm not really sure why it makes so many copies but you can pick one. :)

You can then enable https on your Ubuntu apache instance with `sudo a2enmod ssl` and `sudo a2ensite default-ssl`

Edit the config in /etc/apache2/sites-enabled/default-ssl.conf to point to the right files in /etc/asterisk/keys/...

`sudo systemctl restart apache2` to finish things up.
Thanks, wow! I'm going to get to work in the morning.
 

unsichtbarre

Member
Joined
May 17, 2009
Messages
140
Reaction score
5
If you use the FreePBX Certificate Manager to get your Letsencrypt cert and set it to default, then it will be added to /etc/asterisk/keys/integration/webserver.crt and /etc/asterisk/keys/integration/webserver.key.

It will also exist at /etc/asterisk/keys/YOURHOSTNAME-ca-bundle.crt, YOURHOSTNAME.crt, YOURHOSTNAME.key, and YOURHOSTNAME.pem.

There's also a copy at /etc/asterisk/keys/YOURHOSTNAMEdir/... I'm not really sure why it makes so many copies but you can pick one. :)

You can then enable https on your Ubuntu apache instance with `sudo a2enmod ssl` and `sudo a2ensite default-ssl`

Edit the config in /etc/apache2/sites-enabled/default-ssl.conf to point to the right files in /etc/asterisk/keys/...

`sudo systemctl restart apache2` to finish things up.

Holy Cow, it is working and encrypted! Great instructions and very detailed, thanks Billsimon!

Here's a summary of my steps to enable SSL with Incredible PBX (with help from above - all) for anyone who would like to use Let's Encrypt on Incredible Ubuntu 18.04 LTS:
  1. SSH './add-fqdn letsencrypt1 outbound1.letsencrypt.org'
  2. SSH ' ./add-fqdn letsencrypt2 outbound2.letsencrypt.org'
  3. SSH ' ./add-fqdn mirrior1 mirror1.freepbx.org'
  4. SSH ' ./add-fqdn mirrior2 mirror2.freepbx.org'
  5. In Incredible GUI > Admin > Certificate Management > New Certificate > Generate Let's Encrypt Certificate
  6. Make Let's Encrypt Certificate Default
  7. SSH: `sudo a2enmod ssl`
  8. SSH: `sudo a2ensite default-ssl`
  9. SSH: 'vi /etc/apache2/sites-enabled/default-ssl.conf/
  10. default-ssl.conf points to my certs in: /etc/asterisk/keys
  11. SSH: 'systemctl status apache2.service'
 

unsichtbarre

Member
Joined
May 17, 2009
Messages
140
Reaction score
5
Has a little issue wit Webmin (https://mydomain.com:9001) after applying the Let's Encrypt to Incredible - simply point webmin at my Let's Encrypt *.pem and *.crt:
Webmin > Webmin Configuration > SSL Encryption

Now good!
 

krzykat

Telecom Strategist
Joined
Aug 2, 2008
Messages
3,145
Reaction score
1,235
Has a little issue wit Webmin (https://mydomain.com:9001) after applying the Let's Encrypt to Incredible - simply point webmin at my Let's Encrypt *.pem and *.crt:
Webmin > Webmin Configuration > SSL Encryption

Now good!

After logging in to webmin to make these changes after installing my LE cert. I can't go to any options. I get:
1589510722905.png

Any clue how I can manually tell webmin where my LE certs are so that I can make it work again?
 

krzykat

Telecom Strategist
Joined
Aug 2, 2008
Messages
3,145
Reaction score
1,235
FreePBX now stating they can renew Let's Encrypt without having shields down ... haven't looked at it yet, but we definitely need Let's Encrypt working automatically not only for the server web access, but also because ClearlyIP really needs the SSL cert working to get full functionality.
 

jerrm

Guru
Joined
Sep 23, 2015
Messages
838
Reaction score
405
FreePBX now stating they can renew Let's Encrypt without having shields down ... haven't looked at it yet, but we definitely need Let's Encrypt working automatically not only for the server web access, but also because ClearlyIP really needs the SSL cert working to get full functionality.
From the write up, looks like it will be distro only as it will require the firewall module. Don't see it being non-distro as long as the sysadmin/zen stuff is the only sanctioned arbiter between asterisk and root. I can't see them opening up hooks and encouraging setuid script use.

It would be nice to have it in-GUI, but acme.sh and cron get the job done.
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
FreePBX now stating they can renew Let's Encrypt without having shields down ... haven't looked at it yet, but we definitely need Let's Encrypt working automatically not only for the server web access, but also because ClearlyIP really needs the SSL cert working to get full functionality.

Will a TM3 Whitelist entry not solve this??
 

jerrm

Guru
Joined
Sep 23, 2015
Messages
838
Reaction score
405
Will a TM3 Whitelist entry not solve this??
LetsEncrypt validation can come from anywhere. There is no set server list to whitelist Such has always been the official policy, but until recently they came from only a couple of hosts.
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
@Tonyclewis hinted that they might consider releasing a version of the FreePBX firewall module that didn't require sysadmin. So I guess we'll see what the future holds. In the meantime, it's easy enough to momentarily turn off IPtables, run the update, and then iptables-restart.
 

jerrm

Guru
Joined
Sep 23, 2015
Messages
838
Reaction score
405
@Tonyclewis hinted that they might consider releasing a version of the FreePBX firewall module that didn't require sysadmin.
There are certainly ways to make it happen. Nothing in the module needs sysadmin other than being a broker between asterisk and root privileges.
 

jerrm

Guru
Joined
Sep 23, 2015
Messages
838
Reaction score
405
For all here - don't upgrade to the edge cert manager - Lets Encrypt functionality is completely broken if the firewall module is not installed.
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
For all here - don't upgrade to the edge cert manager - Lets Encrypt functionality is completely broken if the firewall module is not installed.

Thanks for the warning. I will block the upgrade for Incredible PBX 2020 servers and lock certman to 15.0.23 for the time being. This is one of the many hidden beauties of Mirror Admin with the ClearlyIP module repositories.
 

Members online

Forum statistics

Threads
25,782
Messages
167,509
Members
19,203
Latest member
frapu
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Top