SS/TLS from GoDaddy

[dbz195]

Looking for advice on which SSL cert to buy for FSPBX, we need a wildcard or a single domain?

 

[pbxgeek]

Do you have one FSPBX server or two redundant servers?

 

[dbz195]

Just the one for now, let's say in the near future we go with HA would it be difficult to change?

 

[pbxgeek]

Just use a single domain Let's Encrypt certificate until then. It's free. With FS PBX you don't need a to have a certificate that covers each tenant domain. Everyone will be logging in using your main PBX domain and their email.

Let's Encrypt SSL certificate | FS PBX – Open Source PBX Dashboard for VoIP Providers

Securing your FS PBX installation with an SSL certificate is crucial for ensuring secure communications. This guide will walk you through the process of installing a Let's Encrypt SSL certificate using Dehydrated after setting up FS PBX.

www.fspbx.com

 

[dbz195]

Sorry for the confusion, i was referring to the TLS

Yes, for the main domain i have used "Let's Encrypt"

Enabling TLS Support for FS PBX | FS PBX – Open Source PBX Dashboard for VoIP Providers

This guide provides a step-by-step tutorial for configuring TLS for FS PBX with a purchased SSL certificate. It covers prerequisites, certificate installation, FreeSWITCH/FX PBX settings, and testing.

www.fspbx.com

 

[pbxgeek]

Oh, that changes the story. You can buy a single domain certificate. Your phones should be registered to the same domain. Usually, your main DNS record points to your server. Only if you prefer dual registration in the future, when you have 2 servers, and if your phones support it, then you would need a wildcard certificate. Changing certificates is not hard, but does require a FreeSwitch restart.
Someone recently told me they generate their own Certificate Authority and certificate, and just upload it to the phones as trusted. It works just as well but requires a bit more work in the beginning. I think we are going to see more people leaning towards this way since the commercial certificates now have to be renewed every 7 months. We might even add a tutorial for this to our docs in the future.

 

[yaboc]

Oh, that changes the story. You can buy a single domain certificate. Your phones should be registered to the same domain. Usually, your main DNS record points to your server. Only if you prefer dual registration in the future, when you have 2 servers, and if your phones support it, then you would need a wildcard certificate. Changing certificates is not hard, but does require a FreeSwitch restart.
Someone recently told me they generate their own Certificate Authority and certificate, and just upload it to the phones as trusted. It works just as well but requires a bit more work in the beginning. I think we are going to see more people leaning towards this way since the commercial certificates now have to be renewed every 7 months. We might even add a tutorial for this to our docs in the future.

that'd be awesome to have a tutorial with self signed cert! i think most phone can pull certs during auto-provisioning vs manual upload ? then all youd have to do i specify provision url

 

[dbz195]

Just an update: was able to get Let's Encrypt with TLS, also an auto-renewal script that will copy over the cert for TLS,

Have about a few months left, before it renews lets see if the script works

 

[pbxgeek]

Let's Encrypt certs are generated for 3 months, as far as I know. So we will hear back from you soon. Does your auto-renewal script also restart FreeSWITCH?

 

[dbz195]

Yes, it's every 3 months. The script does have an auto-restart for FreeSwitch, will keep you posted if it works and post the code here.

 

[pbxgeek]

Be cautious when the certificate expires. It will disconnect all TLS endpoints immediately until FreeSWITCH is restarted to apply the new certificate. This is the main disadvantage of using Let's Encrypt for Freeswitch TLS certificates.

 

[yaboc]

Yes, it's every 3 months. The script does have an auto-restart for FreeSwitch, will keep you posted if it works and post the code here.

care to share ? i have pangolin proxy in front of my fspbx nodes so i pull my LE certs from there so i'd need to modify the script to my env.

@pbxgeek
do you know when self signed cert tutorial will be available. I'd def like to test it out in my environment. For now im doing it manually LE but got burned with it expiring just a few days ago si i'm looking into automating it.

 

[dbz195]

@yaboc

Sure i'll post it here, once i reach home(end of day)

 

[pbxgeek]

I think the need for a custom certificate will go away shortly. Freeswitch just announced a new release where certificate replacement no longer requires a restart. We will thoroughly test this version first before rolling it out.

 

[dbz195]

Here's the code i have used --- FYI i have not fully tested this.




Created the script in:
/etc/dehydrated/hooks/freeswitch-deploy.sh

renewal hook inside the dehydrated configuration. This hook automatically runs when dehydrated -c and renews the certificate to deploy the new certificates to FreeSWITCH and restart the service.
--------------------

#!/bin/bash
# Called by dehydrated after cert renewal
# Hook: deploy_cert DOMAIN KEYFILE CERTFILE FULLCHAINFILE CHAINFILE TIMESTAMP

deploy_cert() {
local DOMAIN="${1}" KEYFILE="${2}" CERTFILE="${3}" FULLCHAINFILE="${4}"

if [ "$DOMAIN" = "YOUR.DOMAIN.COM" ]; then
echo "Deploying renewed cert to FreeSWITCH..."
cat "$FULLCHAINFILE" > /etc/freeswitch/tls/all.pem
cat "$KEYFILE" >> /etc/freeswitch/tls/all.pem
chown -R www-data:www-data /etc/freeswitch/tls
chmod -R 640 /etc/freeswitch/tls/*
systemctl restart freeswitch
echo "FreeSWITCH restarted with new cert."
fi
}

HANDLER=$1; shift
[ -n "$(type -t $HANDLER)" ] && "$HANDLER" "$@"

Cron Job:

0 3 * * * dehydrated -c && systemctl reload nginx

 

[pbxgeek]

Starting with FS PBX version 1.9.1, we support the new version of Freeswitch 1.11.1 and Automatic Let's Encrypt certificate renewal.

Let's Encrypt certificate | FS PBX – Open Source PBX Dashboard for VoIP Providers

FS PBX can issue, install, renew, and distribute a Let's Encrypt certificate for FreeSWITCH SIP-TLS and secure WebSockets (WSS). It can also create a self-signed certificate when a publicly trusted certificate is not required.

www.fspbx.com

Freeswitch must be upgraded manually, independently of the FS PBX update.

 

[yaboc]

@pbxgeek thank you, this is great. one question can le create wildcard since each tenant connects to pbx1..2..3. and so on and is a cname for pbx.domain.com for failover (pbxa.domain.com pbxb.domain.com being server hostnames)? and does it support dns challenge if fspbx is behind proxy?

after freeswitch upgrade and fspbx on both nodes i cant get to webui, i have trusted proxies set up correctly as it did not get wiped out after git pull. i can access it locally by ip :\. i was able to access it through pangolin proxy prior to the upgrade.

nothing changed in .env file either. other proxied UIs for services are working.

SESSION_DOMAIN=.domain.com
SANCTUM_STATEFUL_DOMAINS=pbxa.domain.com,pbx.domain.com

is nginx forcing its own self signed cert in anyway after the upgrade ?

 

[pbxgeek]

@yaboc, there have been some changes to port 80 to accommodate the Let's Encrypt HTTP challenge. It may not work with your proxy out of the box. You may need to look into making changes so both work without conflicting.

Why are your tenants using different domains? This isn't the intended way FS PBX operates. It's more related to FusionPBX, which wasn't designed optimally. FS PBX expects all users to access the portal via a single DNS entry. If you have two redundant FS PBX servers in primary-standby mode, this DNS entry can include a failover.

 

[pbxgeek]

Forgot to mention. Because of the above, you don't need a wildcard for FS PBX.

 

[yaboc]

@yaboc, there have been some changes to port 80 to accommodate the Let's Encrypt HTTP challenge. It may not work with your proxy out of the box. You may need to look into making changes so both work without conflicting.

Why are your tenants using different domains? This isn't the intended way FS PBX operates. It's more related to FusionPBX, which wasn't designed optimally. FS PBX expects all users to access the portal via a single DNS entry. If you have two redundant FS PBX servers in primary-standby mode, this DNS entry can include a failover.

@pbxgeek it's just phones that connect to different "sip" domain pbx1.domain.com pbx2 etc but all can access GUI portal via pbx.domain.com.

so no dns challenge for LE or is that something that can be configured ?

can i run the web gui on another port and use that in my proxy settings or is that going to break fspbx le integration? i dont wanna break anything in a working setup. would just changing port on nginx server work ?