Closed alenas closed 3 years ago
Hi Alenas,
thank you for feedback.
right now I use this simple function:
cfgService_letsencrypt() {
if [ -e "/etc/letsencrypt/live/${APP_FQDN}/privkey.pem" ] ; then
echo "--> Let's Encrypt certificate already exist... trying to renew"
certbot renew --standalone
else
echo "--> generating HTTPS Let's Encrypt certificate"
certbot certonly --standalone --expand -n --agree-tos --email ${ROOT_MAILTO} -d ${APP_FQDN}
fi
# create certbot renew cron and apache restart
echo '#!/bin/bash
/usr/bin/certbot renew --noninteractive --no-random-sleep-on-renew --deploy-hook "/usr/bin/supervisorctl restart httpd"
exit $?' > /etc/cron.daily/certbot && chmod 755 /etc/cron.daily/certbot
}
But your suggestion is a better solution, so If you can make a PR would be great.
Thank you
Hi Ugo,
seems like we need to start freepbx (or at least httpd) before we can generate certificates with fwconsole. Where is the best place to plug that script?
ok, I am just starting httpd, generating certificate and then stopping httpd in entrypoint-hooks.sh. works. will test a bit more with a new docker image and existing data. problem is that it is pretty hard to test when letsencrypt limits to 5 requests per week for a certificate.
I was trying the new izpbx 18.15.2 image on podman on VPS server.
Using lets encrypt certbot, which successfully generate certificates. LETSENCRYPT_ENABLED=true
but then HTTPS does not work, as I get error: ERR_SSL_PROTOCOL_ERROR
Maybe it would be a good idea to use Let's encrypt certificates generated from FreePBX
example (from https://wiki.freepbx.org/pages/viewpage.action?pageId=91357370): fwconsole certificates --generate --type=le --hostname=xyz.redacted.com --country-code=ca --state=ns --email=xyz@redacted.com fwconsole certificates --default=xyz.redacted.com
and then use the same certificate for httpd as well (by pointing to /data/etc/asterisk/keys/integration) I could make a pull request if you want.