Problem : In FreePBX, you are asked to whitelist follow 4 FQDN’s. However, this information is stale. Since 19th February 2020, Lets Encrypt now validate challenges from multiple network vantage points. There are no specific set of IP Addresses, therefore we have to come up with a different way to deal with this issue.
Whitelisting following FQDN’s is an Outdated method and will not work:
outbound1.letsencrypt.org outbound2.letsencrypt.org acme-v01.api.letsencrypt.org acme-staging.api.letsencrypt.org acme-v02.api.letsencrypt.org acme-staging-v02.api.letsencrypt.org mirror1.freepbx.org mirror2.freepbx.org
NEW METHOD: SSH into your VPS using Putty and follow Guide Below:
Step 1 : Add VirtualHost at Port 80
Add following lines as Virtual Host at Port 80:
ServerAdmin email@example.com ServerName example.com ServerAlias cname.example.com DocumentRoot /var/www/html
Save certbot.conf and exit.
Reload httpd Service
systemctl reload httpd
Step 2 : Install Certbot and Enable SSL/HTTPS using Lets Encrypt
We will basically allow certbot to use pre-hook and post-hook function to toggle iptables and allow Lets Encrypt to handshake using Port 80.
yum install python-certbot-apache
certbot --apache -m firstname.lastname@example.org -d cname.example.com --pre-hook "systemctl stop iptables" --post-hook "systemctl start iptables"
If you want to Install Certificates Only and will Modify Apache on your own:
certbot certonly --apache -m email@example.com -d cname.example.com --pre-hook "systemctl stop iptables" --post-hook "systemctl start iptables"
A to Agree Terms of Service
Y to share your email address
When it prompts to “Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access”, Pick option 2. This is IMPORTANT!
2: Redirect - Make all requests redirect to secure HTTPS access
After that, the SSL client should install the cert and configure your website to redirect all traffic over HTTPS
You should test your configuration at:
Step 3 : SSL Certificates Installed. Add Cronjob:
You will get the following message
IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/cname.example.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/cname.example.com/privkey.pem Your cert will expire on 2020-08-16. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew"
Now we should add cronjob to automatically renew certificates
Then add the line below and save.
0 1 * * * /usr/bin/certbot renew & > /dev/null
This will attempt to renew certificates 30 days before certificate expiring.
Note: If you want to change default editor from vi, use the following command:
export EDITOR=mcedit OR
Now Refresh your FreePBX/IncrediblePBX/RasPBX Dashboard and look at Padlock sign next to URL to make sure website is secure.
NOTE: You can also achieve the same result by disabling ‘iptables’ and then go to:
Admin > Certificate Management > New Certificate > Generate Let's Encrypt Certificate > Generate Certificate.