Getting Wazo and NGINX configured for Facebook webhooks was more of a bear. You also have to manually install and configure certificates with certbot and LetsEncrypt since it knows nothing about NGINX. Neither do I, by the way.
@Sylvain Boily has bailed me out more than once.
First, you'll need to get certbot installed:
Code:
cd /etc/apt
echo "deb http://ftp.debian.org/debian jessie-backports main" >> sources.list
apt-get update
apt-get install certbot -t jessie-backports
Next, you have to temporarily turn off the HTTPS setup for Wazo since the certif install requires HTTP access. In /etc/nginx/sites-enabled/xivo, comment out these 3 lines:
Code:
In server section for port 80:
# include /etc/nginx/locations/http-enabled/*;
In server section for port 443:
# listen 443 default_server;
# server_name $domain;
Then restart the web server: /etc/init.d/nginx restart. Now you have a basic http web server.
Next, in /var/www/html:
Code:
cd /var/www/html
mkdir .well_known
cd .well_known
mkdir acme-challenge
cd acme-challenge
chown -R asterisk:www-data /var/www/html/.well_known
Disable the firewall temporarily:
/etc/init.d/netfilter-persistent flush
Leave that SSH session as it is and open a second SSH session to your server to kick off the certbot script:
certbot certonly --manual
You'll be prompted for the FQDN of your server to generate the certificates. Then you'll be given an oddball name AND an expected oddball response. Use the name to create a directory under /var/www/html/.well_known/acme-challenge. In your other session:
Code:
mkdir ODDBALL-NAME
cd ODDBALL-NAME
echo "ODDBALL-RESPONSE > index.html"
chown -R asterisk:www-data /var/www/html/.well_known
Now, use a browser to go to
http://YOUR-FQDN/.well_known/acme-challenge/ODDBALL-NAME/ and be sure your web server displays the expected response. You've got to get this working before you continue with the certbot install or it will fail. And you only have a few minutes to do it before certbot with change the ODDBALL-NAME and ODDBALL-RESPONSE. 3 consecutive failures and you have to wait an hour to try again. Guess how we know?
Once you get the expected response, switch back to your SSH session with certbot and press ENTER to continue with the certificate install. When it completes, you'll get a congratulatory note and a reminder that, in less than 90 days, you'll need to run
certbot renew to update your certificate.
Now let's install the new certificates in NGINX and put things back together again.
Code:
cd /etc/nginx/sites-enabled
nano -w xivo
First, remove the 3 comment lines we added previously.
Second, at the bottom of the file, comment out these existing certificate lines:
Code:
# ssl_certificate /usr/share/xivo-certs/server.crt;
# ssl_certificate_key /usr/share/xivo-certs/server.key;
# ssl_ciphers ALL:!aNULL:!eNULL:!LOW:!EXP:!RC4:!3DES:!SEED:+HIGH:+MEDIUM;
Third, add these new lines using your actual FQDN:
Code:
ssl_certificate /etc/letsencrypt/live/YOUR.FQDN/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/YOUR.FQDN/privkey.pem;
ssl_ciphers HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA;
Finally, restart your firewall and NGINX:
Code:
iptables-restart
/etc/init.d/nginx restart
Now comment out the jessie-backports addition in /etc/apt/sources-list and apt-get update.
Verify that you have a working HTTPS implementation by going to your FQDN with a browser. You should be greeted by the Wazo login screen. And Chrome will tell you that your site is
SECURE.
Someday soon, we'll document the Facebook piece (which actually works!). To be continued...