FOOD FOR THOUGHT Use LE (Lets Encrypt)/Certbot with Wazo?

kyle95wm

Phone Genius Owner
Joined
Apr 16, 2016
Messages
520
Reaction score
90
Can someone give me a rundown on how to best install an LE certificate on Wazo and have it renewed automatically? During testing I was able to make the changes documented on the Wazo end but I can't for the life of me come up with a way to ease the renewal process (i.e make the certs stay in the xivo-certs folder)

There should perhaps be an automated way of doing the whole LE setup from start to finish.
 

kyle95wm

Phone Genius Owner
Joined
Apr 16, 2016
Messages
520
Reaction score
90
I was able to implement an SSL cert using ZeroSSL. I'll probably create a video documenting the process and maybe write a few scripts to ease some of the tension.
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
FYI: LetsEncrypt is an integrated component in Issabel.
 

kyle95wm

Phone Genius Owner
Joined
Apr 16, 2016
Messages
520
Reaction score
90
Ah good to know but I need wazo for MT. If I have to get a new cert or renew it, do I just restart the Wazo services after replacing the private key and cert in /usr/share/xivo-certs? Also do Wazo upgrades overwrite my cert? I guess this all stuff that can be tested on the dev server first.
 

dicko

Still learning but earning
Joined
Oct 30, 2015
Messages
1,607
Reaction score
826
If you mean multi-tenent by MT and they have different DNS resolutions , then Let's Encrypt won't work for you.
 

kyle95wm

Phone Genius Owner
Joined
Apr 16, 2016
Messages
520
Reaction score
90
No, I think you mis-understand me. Wazo is the only good MT solution since it lets you easily create users, contexts, etc and jail everyone off from each other. I could theoretically put a ton of people on a high powered server at DO (currently rocking the $20 plan over there to accommodate for the 2GB RAM requirement)

When I talk about Lets Encrypt, Im talking about encrypting the connection to the Wazo web GUI, and any other part of Wazo that uses that ugly self-signed cert that isn't trusted on modern browsers.

Anyways for anyone wanting to know my general workflow on how I got this working on my server I did the following:

I went to http://zerossl.com and generated a cert for my domain using DNS verification (had to add a TXT record for my domain)

I downloaded my CSR, LE key, cert, and my cert's private key.

I then followed the tutorial at http://documentation.wazo.community/en/stable/system/https_certificate.html

I replaced "wazo.example.com" with my domain name

I put the cert and cert private key into /usr/share/xivo-certs/ and replaced the cert and the key file using nano (just used cmd+K to delete everything in the file.

I finished up the guide by running wazo-service restart all and waited a minute for everything to come back up. When I went to my server I was in the green, and had a trusted cert for my web GUI (https://admin.dev.phonegenius.ca in case anyone wants to see a working example)

The two concerns/questions I have are:
1) Does the Wazo upgrade process overwrite my certs in any way?
2) When it comes time to renew these, would I just be able to go to ZeroSSL's website and get a renewed cert from them? I already have my LE key and CSR from earlier saved on my computer. The only thing that I would have to replace would be the certificate. I guess what I'm really asking here is: Is there a way to make this all automated, where I could theoretically install certbot on my Wazo server, have the certs renewed, and placed back into the directory that Wazo uses? This will sure save me lots of intensive labour if I happen to have more than one server. I could just install a cert, a cron job that automates the renewal process, and be done with it.
 

JFrost

Active Member
Joined
Oct 1, 2016
Messages
351
Reaction score
93
No, I think you mis-understand me. Wazo is the only good MT solution since it lets you easily create users, contexts, etc and jail everyone off from each other. I could theoretically put a ton of people on a high powered server at DO (currently rocking the $20 plan over there to accommodate for the 2GB RAM requirement)

When I talk about Lets Encrypt, Im talking about encrypting the connection to the Wazo web GUI, and any other part of Wazo that uses that ugly self-signed cert that isn't trusted on modern browsers.

Anyways for anyone wanting to know my general workflow on how I got this working on my server I did the following:

I went to http://zerossl.com and generated a cert for my domain using DNS verification (had to add a TXT record for my domain)

I downloaded my CSR, LE key, cert, and my cert's private key.

I then followed the tutorial at http://documentation.wazo.community/en/stable/system/https_certificate.html

I replaced "wazo.example.com" with my domain name

I put the cert and cert private key into /usr/share/xivo-certs/ and replaced the cert and the key file using nano (just used cmd+K to delete everything in the file.

I finished up the guide by running wazo-service restart all and waited a minute for everything to come back up. When I went to my server I was in the green, and had a trusted cert for my web GUI (https://admin.dev.phonegenius.ca in case anyone wants to see a working example)

The two concerns/questions I have are:
1) Does the Wazo upgrade process overwrite my certs in any way?
2) When it comes time to renew these, would I just be able to go to ZeroSSL's website and get a renewed cert from them? I already have my LE key and CSR from earlier saved on my computer. The only thing that I would have to replace would be the certificate. I guess what I'm really asking here is: Is there a way to make this all automated, where I could theoretically install certbot on my Wazo server, have the certs renewed, and placed back into the directory that Wazo uses? This will sure save me lots of intensive labour if I happen to have more than one server. I could just install a cert, a cron job that automates the renewal process, and be done with it.

Hey Kyle. So, 2 or 3 months on how's this working out? Have you worked out if the certs are durable through upgrades and if will auto-renew?

Btw, to the point about not being able to use LE certs for multi-tenant, I believe LE lets you put up to 100 domains and/or subdomains (100 total) on a single cert. No wildcards so you have to spell out each but it's one cert so that could/should work for MT on one server.
 

kyle95wm

Phone Genius Owner
Joined
Apr 16, 2016
Messages
520
Reaction score
90
It's actually working out great! While I initially followed the docs at Wazo for replacing the certs, @wardmundy has a post at NerdVittles that instructs how to pull this off, in a much easier way than I did on my end. Seriously, it'll save you hours of pulling your hair out.
 
Last edited by a moderator:

JFrost

Active Member
Joined
Oct 1, 2016
Messages
351
Reaction score
93
It's actually working out great! While I initially followed the docs at Wazo for replacing the certs, @wardmundy has a post at NerdVittles that instructs how to pull this off, in a much easier way than I did on my end. Seriously, it'll save you hours of pulling your hair out.
Awesome. And what did you do about the mutliple domains? Did you just list them all on one LE cert and that worked out?

thx.
 

kyle95wm

Phone Genius Owner
Joined
Apr 16, 2016
Messages
520
Reaction score
90
Awesome. And what did you do about the mutliple domains? Did you just list them all on one LE cert and that worked out?

thx.
No I just listed the main FQDN of the server. Once I did that without modifying the Wazo internal files, I was golden.
 

Members online

No members online now.

Forum statistics

Threads
25,782
Messages
167,509
Members
19,202
Latest member
pbxnewguy
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Top