Lets encrypt certificate

[alenas]

I was trying the new izpbx 18.15.2 image on podman on VPS server.

Using lets encrypt certbot, which successfully generate certificates. LETSENCRYPT_ENABLED=true

but then HTTPS does not work, as I get error: ERR_SSL_PROTOCOL_ERROR

Maybe it would be a good idea to use Let's encrypt certificates generated from FreePBX

example (from https://wiki.freepbx.org/pages/viewpage.action?pageId=91357370): fwconsole certificates --generate --type=le --hostname=xyz.redacted.com --country-code=ca --state=ns --email=xyz@redacted.com fwconsole certificates --default=xyz.redacted.com

and then use the same certificate for httpd as well (by pointing to /data/etc/asterisk/keys/integration) I could make a pull request if you want.

[ugoviti]

Hi Alenas,

thank you for feedback.

right now I use this simple function:

cfgService_letsencrypt() {
  if [ -e "/etc/letsencrypt/live/${APP_FQDN}/privkey.pem" ] ; then
    echo "--> Let's Encrypt certificate already exist... trying to renew"
    certbot renew --standalone
  else
    echo "--> generating HTTPS Let's Encrypt certificate"
    certbot certonly --standalone --expand -n --agree-tos --email ${ROOT_MAILTO} -d ${APP_FQDN}
  fi

  # create certbot renew cron and apache restart
  echo '#!/bin/bash
/usr/bin/certbot renew --noninteractive --no-random-sleep-on-renew --deploy-hook "/usr/bin/supervisorctl restart httpd"
exit $?' > /etc/cron.daily/certbot && chmod 755 /etc/cron.daily/certbot
}

But your suggestion is a better solution, so If you can make a PR would be great.

Thank you

[alenas]

Hi Ugo,

seems like we need to start freepbx (or at least httpd) before we can generate certificates with fwconsole. Where is the best place to plug that script?

[alenas]

ok, I am just starting httpd, generating certificate and then stopping httpd in entrypoint-hooks.sh. works. will test a bit more with a new docker image and existing data. problem is that it is pretty hard to test when letsencrypt limits to 5 requests per week for a certificate.