Updating wildcard certs (preferred process)

[barriepm]

Hello Experts,

First post, and new to FPBX.

I just installed FusionPBX, and was able to request a letsencrypt wildcard certificate for my install. From what I gather auto-renewing of wildcard certs is not supported thus we manually have to update wildcard certs. This is cumbersome since we host our VPS server, and have to manually update our DNS records.

I am looking to you experts on any scripts that may be available to use a cron job to auto-update wildcard certs. I am lost between what the current standard is (letsencrypt vs dehydrate) and whats the correct way of implementing a solution??? To add to the discussion here, since we manually have to manage our DNS records, I was hoping that the solution would be able to use http-01 method to match tokens.

Any help from this community would greatly be appreciated.

Thanks,
Sam.

 

[hfoster]

There isn't really a standard, I'm guessing FusionPBX uses dehydrated as it's a simple bash script instead of whatever monstrosity the LetsEncrypt lot are using for Certbot these days. I think you can only use DNS-01 for Wildcards.

I personally, just sign numerous certificates for each domain and automate them as per usual. If I wanted to switch to a wildcard, I'd probably just buy one and forget about it for a year or so.

 

[ad5ou]

If I wanted to switch to a wildcard, I'd probably just buy one and forget about it for a year or so.

This is what I settled on a couple of years ago. It was a small price to pay for the lack of headaches.

 

[barriepm]

Thank you both! I was kinda debating that (purchasing a 3-yr cert), and both of you have affirmed the path that I will take

Thanks again,
Sam.

 

[DigitalDaz]

I have a solution that makes things easier, I'll try and write it up tonight...

 

[barriepm]

I have a solution that makes things easier, I'll try and write it up tonight...

That would be amazing, really like to know about your solution.

 

[caretech]

@DigitalDaz, any further word on your solution? Thank you!

For myself, I'm uncertain where FusionPBX stores its certs and what they are called. I can't use letsencrypt, or at least not without a lot of work, because port 80 is forwarded to a reverse proxy for various web services here. If someone could kindly point me to the documentation (if it exists??) showing where Fusion expects cert files to be and what it expects them to be named, that would be very helpful. I'd manually install my own wildcard cert for now.

 

[hfoster]

Have a little inspect of the supplied letsencrypt script that comes with FusionPBX.

/usr/src/fusionpbx-install.sh/debian/resources/letsencrypt.sh

Essentially, the usual place is nginx for the web interface. That's under the 'fusionpbx' site in sites-enabled. There's also FreeSwitch tls folder, which isn't FusionPBX specific. Refer to the docs for the instructions, and modify them as necessary (i.e, don't run the LetsEncrypt.sh script).

TLS/SSL FusionPBX Docs

 

[Johnpbx]

I have a solution that makes things easier, I'll try and write it up tonight...

Would be appreciated

 

[ricktendo]

Would be appreciated

Second

 

[timerider]

Second

Third? But it's gone dry?

I too have been wondering about this. Some possibilities:

Run bind on the pbx server and use it as master?

Send an SSH command to the dns server adding the record?

All very well should you have SSH and run your own DNS..

Any other suggestions?

 

[timerider]

So I set mine up with wildcard domain.. best process to change it to just one or two subdomains?

Will it mess anything up? Any cleanup to do before/after?