SS/TLS from GoDaddy

D

dbz195

Member
Feb 3, 2021
73
5
8
38
Looking for advice on which SSL cert to buy for FSPBX, we need a wildcard or a single domain?

1777053737794.png
 
Last edited:
Just the one for now, let's say in the near future we go with HA would it be difficult to change?
 
Just use a single domain Let's Encrypt certificate until then. It's free. With FS PBX you don't need a to have a certificate that covers each tenant domain. Everyone will be logging in using your main PBX domain and their email.

www.fspbx.com

Let's Encrypt SSL certificate | FS PBX – Open Source PBX Dashboard for VoIP Providers

Securing your FS PBX installation with an SSL certificate is crucial for ensuring secure communications. This guide will walk you through the process of installing a Let's Encrypt SSL certificate using Dehydrated after setting up FS PBX.
www.fspbx.com www.fspbx.com
 
Oh, that changes the story. You can buy a single domain certificate. Your phones should be registered to the same domain. Usually, your main DNS record points to your server. Only if you prefer dual registration in the future, when you have 2 servers, and if your phones support it, then you would need a wildcard certificate. Changing certificates is not hard, but does require a FreeSwitch restart.
Someone recently told me they generate their own Certificate Authority and certificate, and just upload it to the phones as trusted. It works just as well but requires a bit more work in the beginning. I think we are going to see more people leaning towards this way since the commercial certificates now have to be renewed every 7 months. We might even add a tutorial for this to our docs in the future.
 
  • Like
Reactions: yaboc
pbxgeek said:
Oh, that changes the story. You can buy a single domain certificate. Your phones should be registered to the same domain. Usually, your main DNS record points to your server. Only if you prefer dual registration in the future, when you have 2 servers, and if your phones support it, then you would need a wildcard certificate. Changing certificates is not hard, but does require a FreeSwitch restart.
Someone recently told me they generate their own Certificate Authority and certificate, and just upload it to the phones as trusted. It works just as well but requires a bit more work in the beginning. I think we are going to see more people leaning towards this way since the commercial certificates now have to be renewed every 7 months. We might even add a tutorial for this to our docs in the future.
Click to expand...
that'd be awesome to have a tutorial with self signed cert! i think most phone can pull certs during auto-provisioning vs manual upload ? then all youd have to do i specify provision url
 
Just an update: was able to get Let's Encrypt with TLS, also an auto-renewal script that will copy over the cert for TLS,

Have about a few months left, before it renews lets see if the script works :rolleyes:
 
  • Like
Reactions: yaboc
Let's Encrypt certs are generated for 3 months, as far as I know. So we will hear back from you soon. Does your auto-renewal script also restart FreeSWITCH?
 
Yes, it's every 3 months. The script does have an auto-restart for FreeSwitch, will keep you posted if it works and post the code here.
 
  • Like
Reactions: yaboc
Be cautious when the certificate expires. It will disconnect all TLS endpoints immediately until FreeSWITCH is restarted to apply the new certificate. This is the main disadvantage of using Let's Encrypt for Freeswitch TLS certificates.
 
  • Like
Reactions: yaboc
dbz195 said:
Yes, it's every 3 months. The script does have an auto-restart for FreeSwitch, will keep you posted if it works and post the code here.
Click to expand...
care to share ? i have pangolin proxy in front of my fspbx nodes so i pull my LE certs from there so i'd need to modify the script to my env.

@pbxgeek
do you know when self signed cert tutorial will be available. I'd def like to test it out in my environment. For now im doing it manually LE but got burned with it expiring just a few days ago si i'm looking into automating it.
 
I think the need for a custom certificate will go away shortly. Freeswitch just announced a new release where certificate replacement no longer requires a restart. We will thoroughly test this version first before rolling it out.
 
  • Like
Reactions: kenn10 and yaboc
Here's the code i have used --- FYI i have not fully tested this.




Created the script in:
/etc/dehydrated/hooks/freeswitch-deploy.sh

renewal hook inside the dehydrated configuration. This hook automatically runs when dehydrated -c and renews the certificate to deploy the new certificates to FreeSWITCH and restart the service.
--------------------

#!/bin/bash
# Called by dehydrated after cert renewal
# Hook: deploy_cert DOMAIN KEYFILE CERTFILE FULLCHAINFILE CHAINFILE TIMESTAMP

deploy_cert() {
local DOMAIN="${1}" KEYFILE="${2}" CERTFILE="${3}" FULLCHAINFILE="${4}"

if [ "$DOMAIN" = "YOUR.DOMAIN.COM" ]; then
echo "Deploying renewed cert to FreeSWITCH..."
cat "$FULLCHAINFILE" > /etc/freeswitch/tls/all.pem
cat "$KEYFILE" >> /etc/freeswitch/tls/all.pem
chown -R www-data:www-data /etc/freeswitch/tls
chmod -R 640 /etc/freeswitch/tls/*
systemctl restart freeswitch
echo "FreeSWITCH restarted with new cert."
fi
}

HANDLER=$1; shift
[ -n "$(type -t $HANDLER)" ] && "$HANDLER" "$@"
Click to expand...

Cron Job:
0 3 * * * dehydrated -c && systemctl reload nginx
Click to expand...
 
You must log in or register to reply here.
Top Bottom