Categories
Uncategorized

[2020] Free SSL HTTPS for FreePBX/IncrediblePBX/RasPBX Let’s Encrypt

Problem : In FreePBX, you are asked to whitelist follow 4 FQDN’s. However, this information is stale. Since 19th February 2020, Lets Encrypt now validate challenges from multiple network vantage points. There are no specific set of IP Addresses, therefore we have to come up with a different way to deal with this issue.

Whitelisting following FQDN’s is an Outdated method and will not work:

 

outbound1.letsencrypt.org outbound2.letsencrypt.org acme-v01.api.letsencrypt.org acme-staging.api.letsencrypt.org acme-v02.api.letsencrypt.org acme-staging-v02.api.letsencrypt.org mirror1.freepbx.org mirror2.freepbx.org

NEW METHOD: SSH into your VPS using Putty and follow Guide Below:

Step 1 : Add VirtualHost at Port 80

nano etc/httpd/conf.d/certbot.conf

 Add following lines as Virtual Host at Port 80:

  
    ServerAdmin admin@example.com
    ServerName example.com
    ServerAlias cname.example.com
    DocumentRoot /var/www/html 

Save certbot.conf and exit.

Reload httpd Service

systemctl reload httpd

Step 2 : Install Certbot and Enable SSL/HTTPS using Lets Encrypt

We will basically allow certbot to use pre-hook and post-hook function to toggle iptables and allow Lets Encrypt to handshake using Port 80.

yum install python-certbot-apache

certbot --apache -m admin@example.com -d cname.example.com --pre-hook "systemctl stop iptables" --post-hook "systemctl start iptables"

If you want to Install Certificates Only and will Modify Apache on your own: 

certbot certonly --apache -m admin@example.com -d cname.example.com --pre-hook "systemctl stop iptables" --post-hook "systemctl start iptables" 

 

Press A to Agree Terms of Service
Press Y to share your email address

When it prompts to “Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access”, Pick option 2. This is IMPORTANT!

2: Redirect - Make all requests redirect to secure HTTPS access

After that, the SSL client should install the cert and configure your website to redirect all traffic over HTTPS

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=voip.googlecloudplatform.online

Step 3 : SSL Certificates Installed. Add Cronjob:

You will get the following message

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/cname.example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/cname.example.com/privkey.pem
   Your cert will expire on 2020-08-16. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"

Now we should add cronjob to automatically renew certificates

crontab -e

Then add the line below and save.

0 1 * * * /usr/bin/certbot renew & > /dev/null

This will attempt to renew certificates 30 days before certificate expiring.

Note: If you want to change default editor from vi, use the following command:

export EDITOR=mcedit OR export EDITOR=nano

Now Refresh your FreePBX/IncrediblePBX/RasPBX Dashboard and look at Padlock sign next to URL to make sure website is secure.

NOTE: You can also achieve the same result by disabling ‘iptables’ and then go to:

Admin > Certificate Management > New Certificate > Generate Let's Encrypt Certificate > Generate Certificate.

Leave a Reply

Your email address will not be published. Required fields are marked *