FOOD FOR THOUGHT SSL Corrections

[wardmundy]

Port 80 and 443 are the most vulnerable, and those are the ports they need access to. So... adjusting iptables probably isn't worth the effort.

 

[DoctorJ]

Seems we now have to install Python for auto-renew with certbot... anyone else having this problem.

Upgrading certbot-auto 0.20.0 to 0.22.2...
Replacing certbot-auto...
Bootstrapping dependencies for RedHat-based OSes that will use Python3... (you can skip this with --no-bootstrap)
yum is /usr/bin/yum
No supported Python package available to install. Aborting bootstrap!

Ran it again with "--no-bootstrap", and got:

WARNING: couldn't find Python 2.7+ to check for updates.
Creating virtual environment...
Cannot find any Pythons; please install one!
WARNING: Always run Incredible PBX behind a secure hardware-based firewall.

@wardmundy, installing Python isn't all that difficult. I'm just concerned about breaking something. Any risk to this on IncrediblePBX 13-12?

 

[DoctorJ]

I've noticed that the original tutorial from September 25 has completely changed. Any instructions on how to update my configuration?

 

[lrosenman]

has anyone looked at using acme.sh and it's dns_nsupdate verification (I run my own nameserver, and can give it a T-SIG key to allow NSUPDATE to work) then you don't have to expose anything..