LetsEncrypt / TLS Info in Docs still current?

[tyryko]

I have used a wildcard cert previously with my servers and am now wanting to go back to individual to help combat TLS issues with certain devices not liking wildcards.

I haven't upgraded to 5.4 yet but will shortly, currently on 5.3

First easy question, is the https://docs.fusionpbx.com/en/latest/getting_started/lets_encrypt.html page still current to setup multiple domains up with Fusion and lets encrypt?

Do we still need to manually add the conf for every new domain added to the server or does the letsecnrypt.sh take care of that?
This is kind of un-clear as the bullet points at the top of the page imply that Nginx config is taken care of.

If I currently have my domain setup as *.mydomain.tld and is the only one I renew is there anything special that I need to do when moving to individual certs?

Here's what it seems would work:
-Run letsencrypt.sh and first just enter in my servers main host name ex. host.mydomain.tld
-Make sure it updated the path in nginx conf to the new cert path
-Then jump to here in the doc for multiple domains
-Then follow the process under "Follow the steps below every time you add a new domain" for each of the domains currently on the server -- although looking currently some of these files mentioned in the commands don't exist -- its possible that is because I have not run the commands I just want to make sure I'm not doing some old commands that are no longer relevant.

For example renew-letsencrypt.sh doesn't exist in /etc/fusionpbx and in this section:
What is it trying to say, example.com isn't here.... will I be prompted? Is this editing a file? Is it referring to something else when it says "obtain the cert from let's encrypt again"

Thanks y'all

 

[markjcrane]

Someone helped with documentation and he added the part that makes this sound more complicated than it has to be. What is described is a more advanced setup when you have multiple different parent domains.

FusionPBX 5.3 is the current release. 5.4 is the master branch future release version.

Do we still need to manually add the conf for every new domain added to the server or does the letsecnrypt.sh take care of that?
This is kind of un-clear as the bullet points at the top of the page imply that Nginx config is taken care of.

This has never been require for most people. You can add a many domains with the same root domains as you want with the default nginx config.

So for example using the fusionpbx.com domain you could have

• blue.fusionpbx.com
• green.fusionpbx.com
• purple.fusionpbx.com
• anything.fusionpbx.com

The default web server config doesn't care what the domain is just that its pointed to the server. If the SSL certificate is a wild card or if its integrates all of these domains then it would allow one SSL certificate that would be applied to the default nginx fusionpbx config.

Where you would need additional nginx web server configs as described in that link is when you use different root domains.

• blue.fusionpbx.com
• roadrunner.acme.com
• example.domain.com

These are all different so you would need a separate SSL record for each one. Since you would need multiple SSL records now you need multiple nginx configurations one for each domain.

 

[markjcrane]

FusionPBX Documentation is being update. We are putting in more work to update FusionPBX documentation.

Latest major improvements to the documentation.

• Updated screenshots showing the latest version of FusionPBX
• Currently migrating documentation from RST format to MD (markdown format)
  • FusionPBX support tickets system uses Markdown format
  • FusionPBX team is more familiar Markdown format than RST format
• FusionPBX documentation will contine to be updated and improved. Currently its the size of a small book
• Improve FusionPBX Upgrade Instructions

Thanks for bringing this to our attention will re-word the section about multiple NGINX configs to indicate that it is for multiple different root domains and is a more advanced configuration. Something comptabile with one wildcard SSL wouldn't need the multiple NGINX configs.

 

[tyryko]

Thanks Mark,
I use the same root domain for accounts so that's good to know. So whats the procedure / any gotchas for using multiple certs now that I have used a wildcard (current cert in use).

Do I have to remove the certs from dehydrated/certs first, edit domains.txt to include all my account domains on their own line (client1.mydomain.tld, client2.mydomain.tld, etc) then run the letsencrypt.sh and it should update things?

Does that create a cert for each domain or just add alt names to the same root cert? If so does that usually work better for TLS compared to wildcards?

I've got a maintenance window tonight that I'm hoping to take advantage of!
Thanks again

 

[markjcrane]

When you define the domains with the letsencrypt script just put a space between each domain name. Letsencrypt seems to allow more domains today than they did in the past limit maybe 100 subdomains. The certificates are combined into one cert.

 

[tyryko]

After trying a few things tonight I ran into some snags.

1 - If I created the cert with domain1 domain2 domain3 it created 1 cert with the common name as the first domain listed (my host/main domain) and the others as alt names. I kinda figured this would be the case, but I have two gripes with that, but was maybe going to look past if it worked properly.

2, if anyone views cert details you see the all the other altnames/subdomains on the cert for other clients. also I'm not sure that Polycom and other devices like that for TLS communicaton for registraitons -- on a Poly VVX 411 and VVX 450 it would say CN doesn't match, but would still "register" at first.

Anyway after some testing with that cert with the alt names added, I could get extensions to register on TLS but would very shortly after not respond, where it wouldn't send a dialed extension etc and kind of just flop back and forth between registered and now.

I eventually tried rerunning the letsencrypt script with just one domain, temporarily modified the nginx config kind of like the docs and again it would register, but eventually seemed to be more and more time between registering.

I must be missing something.... When it was "Registered" I could see it in fusion registrations, and when attempting to make a call it wouldn't complete it nor would I see it in freeswitch.

Just adding that TCP and UDP registrations still work fine and as expected I also tried lowering the keepalive times with no change.

 

[markjcrane]

Yes, a major downside of adding all domains manually to the SSL certificate is that they are all visible in the certificate. For this reason, a wildcard SSL is a better option as long as the firmware the phones use can support it.

With Polycom I've had best luck with TCP. As far as NAT busting goes Polycom VVX comes up short on features in this area.

 

[tyryko]

TCP and UDP both work flawlessly but I'd like to get the connection encrypted and TLS would be the easiest method... I just don't know if this issue is the phone, the cert, freeswitch, my config or a combination. Any thoughts?