FOOD FOR THOUGHT Let's Encrypt free SSL for PiaF

Joined
Aug 20, 2013
Messages
47
Reaction score
3
Has anyone used Let's Encrypt for the GUI?

It's not really a big deal to have an signed cert, but seems like it might be a nice touch that would be easily integrated. It's automated, open, and free. There are lots of people here that are fans of those three words

https://letsencrypt.org/
 
Joined
Aug 20, 2013
Messages
47
Reaction score
3
That's pretty much it. It just popped into my head while reading some posts that mentioned SSL. If you have multiple people using the GUI, it would make for better UX than saying to accept an unsigned cert.

And it also seems that people around here tend to tinker for the sake of tinkering and Let Encrypt is a pretty neat project, IMHO.

I do have my GUI exposed, meaning I use whitelist listed VPNs to access.
 

chris_c_

Active Member
Joined
Aug 19, 2010
Messages
509
Reaction score
67
That's pretty much it. It just popped into my head while reading some posts that mentioned SSL. If you have multiple people using the GUI, it would make for better UX than saying to accept an unsigned cert.

And it also seems that people around here tend to tinker for the sake of tinkering and Let Encrypt is a pretty neat project, IMHO.

I do have my GUI exposed, meaning I use whitelist listed VPNs to access.
I've already suggested this to the FreePBX feature request and it's going to be included.

The benefit of LetsEncrypt for PIAF is huge! We get FREE, browser-RECOGNIZED, and SIP softphone recognized, TLS CERTS for use with SIPS (secure SIP signaling) and SRTP (secure RTP audio) protocols.

This means, your users can open up their Zoiper, Csipsimple, or whatever SIP softphone app on your android or ios device, in a coffee shop in a hacker-infested third world country, possibly with a hacker there logging all your packets as the packets pass through their wifi router, for future financial fraud crimes to steal your money, and you'll be safe because your packets are encrypted with strong elliptical curve diffie hellman TLS. Very nice.
 
  • Like
Reactions: billsimon

smarks

Guru
Joined
Jan 7, 2015
Messages
110
Reaction score
25
There are scripts which take care of all of this. Don't think of LetsEncrypt like old school paid certificates. Think of it as more a weekly or monthy cron job. My cerficate renewal scripts get run on a monthly cron job
 
  • Like
Reactions: wardmundy

hecatae

resident hecatae
Joined
Feb 7, 2014
Messages
661
Reaction score
163
Location
Northampton, United Kingdom
Worth a read:

https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-14-04

The Standalone plugin provides a very simple way to obtain SSL certificates. It works by temporarily running a small web server, on port 80, on your server, to which the Let's Encrypt CA can connect and validate your server's identity before issuing a certificate. As such, this method requires that port 80 is not in use.
Plus:

Let’s Encrypt certificates are valid for 90 days, but it’s recommended that you renew the certificates every 60 days to allow a margin of error. At the time of this writing, automatic renewal is still not available as a feature of the client itself, but you can manually renew your certificates by running the Let’s Encrypt client again.

A practical way to ensure your certificates won’t get outdated is to create a cron job that will automatically handle the renewal process for you. In order to avoid the interactive, menu-driven process that we used earlier, we will use different parameters when calling the Let’s Encrypt client in the cron job.

We will use Webroot plugin, instead of the Standalone plugin used earlier, because it allows your server to validate your domain without stopping your web server. The Webroot plugin adds a hidden file to your web server's document root, which the Let's Encrypt CA can read to verify your domain.
There is a couple of important points there, one, you need to enable port 80 on the public internet to install, and then every time you renew you have to allow Let's Encrypt CA access to your server.

Has anyone got the details of where the Let's Encrypt service talks to when it tries to renew it's certificate?

If we can find out where it talks to then a rule could be added to Incrediblepbx tables by yourself.
 
  • Like
Reactions: wardmundy

Porch

Guru
Joined
Jul 5, 2013
Messages
135
Reaction score
15
Anyone get Let's Encrypt SSL certs to work with Asterisk? Asterisk seems to want some strange combination of certs and I have not had any luck yet.
 

billsimon

Experienced in Asterisk, FreePBX, and SIP
Joined
Jan 2, 2011
Messages
946
Reaction score
294
Anyone get Let's Encrypt SSL certs to work with Asterisk? Asterisk seems to want some strange combination of certs and I have not had any luck yet.
Yes, I am using it for wss (secure webrtc) and DTLS which are required for the webrtc phone in UCP to work securely in Chrome.

The format required for the wss part: have a PEM file for the private key and another PEM file that concatenates the host certificate (the one issued to you) with the intermediate, in that order. These are then specified in Advanced Settings - Mini-HTTP Server settings in the HTTPS Private Key Location and the Certificate Location fields, respectively.

For the DTLS part: one PEM file that starts with the private key, then the host certificate, then the intermediate. That certificate is specified in the Admin - Certificate Manager section.

(Do not include the root cert.)
 
Last edited:
  • Like
Reactions: centrex

Members online

PIAF 5 - Powered by 3CX

Forum statistics

Threads
22,317
Messages
136,958
Members
14,542
Latest member
k0dean