How To install SSL wildcard Certificate

Status
Not open for further replies.

beppe

New Member
Oct 23, 2019
9
0
1
Hi,

we run a Fusionpbx multi-tenant (25 domains) on Debian 9 with letsencrypt for SSL management access.
It works great.

Now, to deploy autoprovisioning via https, we are going to subscribe a wildcard SSL certificate (no letsencrypt) to match all the domains running.
Please, could you indicate me some how-to info where are described the configuration steps ?

note: it's not clear for me how to manage the dehydrated/letsencript configuration already running.

Thanks in advance for any suggestions.

Bye,
Beppe
 
Last edited:

cemotyz09

Member
Apr 23, 2020
83
7
8
I think what your asking starts at line 98 of the letsencrypt.sh script in the default install. You'd need to change the filenames used for your certificates
 

Konrad M WebArray

New Member
Nov 10, 2021
4
2
3
Ottawa, Ontario
All the instructions are here:

If you installed SSL and then tried to install the WildCard SSL from LE it will not work unless you modify nginx configuration so that it knows to include that cert.

The easiest way, if all your tenants are on a subdomain of a single domain, is to generate a wildcard SSL and then edit the file /etc/nginx/sites-available/fusionpbx at the bottom near server listen 443 where it defines the location to the cert. Change it from the initial one you created, probably the hostname, to the wildcard you just created. Save the file and restart nginx. You should now have dehydrated managing your SSL renewal and you should have wildcard subdomain SSL for your server.

If you setup the wildcard SSL before the hostname you wouldn't have this problem, but the instructions at the link provided can be misinterpreted and people think they need to install an SSL for the hostname first, then WildCard SSL, but the instructions to first generate a certificate is for multi domain SSL configurations (the lower set of instructions) where you will be including additional domain SSL in nginx. In this case you would generate a hostname OR wildcard SSL first, then proceed to add other domain SSL. This can also apply if you want to use a new cert for each subdomain, but that's more work than it's worth.

If you want to use a paid SSL you can either copy the certs to your server and set them up in the same way, or add them as includes... In this event I'd recommend you Google search how to add SSL to nginx as you will find more documentation related to nginx. But unless you have specifications that require you to use a paid SSL or unless you are having bad device compatibility, then I would just stick with let's encrypt.
 

swehes

New Member
Oct 25, 2017
4
0
1
124
All the instructions are here:

If you installed SSL and then tried to install the WildCard SSL from LE it will not work unless you modify nginx configuration so that it knows to include that cert.

The easiest way, if all your tenants are on a subdomain of a single domain, is to generate a wildcard SSL and then edit the file /etc/nginx/sites-available/fusionpbx at the bottom near server listen 443 where it defines the location to the cert. Change it from the initial one you created, probably the hostname, to the wildcard you just created. Save the file and restart nginx. You should now have dehydrated managing your SSL renewal and you should have wildcard subdomain SSL for your server.

If you setup the wildcard SSL before the hostname you wouldn't have this problem, but the instructions at the link provided can be misinterpreted and people think they need to install an SSL for the hostname first, then WildCard SSL, but the instructions to first generate a certificate is for multi domain SSL configurations (the lower set of instructions) where you will be including additional domain SSL in nginx. In this case you would generate a hostname OR wildcard SSL first, then proceed to add other domain SSL. This can also apply if you want to use a new cert for each subdomain, but that's more work than it's worth.

If you want to use a paid SSL you can either copy the certs to your server and set them up in the same way, or add them as includes... In this event I'd recommend you Google search how to add SSL to nginx as you will find more documentation related to nginx. But unless you have specifications that require you to use a paid SSL or unless you are having bad device compatibility, then I would just stick with let's encrypt.
I have a question on this. This manual first reference to dehydrated so I ran the first part of it. But then when I tried to the multi domain aspect of it (I own multiple domains and have put sip.domain.tld for each of them) and was going to run the letsencrypt-auto, letsencrypt wasn't even installed to be used. So it seems like the second half, the multi domain aspect of it, is way out of date as I have used this setup on earlier fusionpbx installations without a hitch when it comes to having multiple domains. Thoughts?
 

beppe

New Member
Oct 23, 2019
9
0
1
We have solved defining a second "sites-available/fusionpbx-pbx-wc" for *.wildcard.domain access.
No change at all on dehydrated/letsencript configuration already running.

Thanks for all your suggestions.
 
Status
Not open for further replies.