multi tenant SSL

[s2svoip]

Hi everyone, first post, be kind

been playing with fusion for a few days and love what I see so far. I have SSL working on my first tenant in fusion, I went to follow the steps in

https://docs.fusionpbx.com/en/latest/getting_started/lets_encrypt.html

to setup a second SSL for another tenant, but run into little issues

for example, I got to the step near the end:

cd /opt/letsencrypt
./letsencrypt-auto --config /etc/letsencrypt/configs/example.com.conf certonly

and my /opt/ dir is empty, there is no letsencrypt folder in there, let alone a letsencrypt-auto file to run, I must be missing something - everything else on the server works just fine and no issues with the install, so it seams odd - any ideas

 

[rnpsh19]

Did you ever find some answers on this?

 

[Adrian Fretwell]

As the link suggests, the recommended approach now is to use Dehydrated. (/opt/dehydrated/dehydrated). You can obtain a wildcard certificate to use with multiple sub-domains.

https://github.com/lukas2511/dehydrated

 

[Scuzz]

as far as I know a wildcard cert will not auto renew with dehydrated, you will have to manually add the _acme-challenge TXT to your dns after 3 months to renew. I been using acme.sh with godaddy API to automate the creation and deletion of the _acme-challenge txt records needed for wildcard certs.

 

[Msquared]

Hi everyone, first post, be kind

been playing with fusion for a few days and love what I see so far. I have SSL working on my first tenant in fusion, I went to follow the steps in

https://docs.fusionpbx.com/en/latest/getting_started/lets_encrypt.html

to setup a second SSL for another tenant, but run into little issues

for example, I got to the step near the end:

cd /opt/letsencrypt
./letsencrypt-auto --config /etc/letsencrypt/configs/example.com.conf certonly

and my /opt/ dir is empty, there is no letsencrypt folder in there, let alone a letsencrypt-auto file to run, I must be missing something - everything else on the server works just fine and no issues with the install, so it seams odd - any ideas

I ran into this same issue when following the FusionPBX Docs.

What worked for me was to follow the first half of the documentation to create a single SSL Cert for my primary domain (domain.com), confirm you receive the output:

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Restart Nginx and confirm https://domain.com is working.

Then I repeated the steps for a wildcard cert (*.domain.com) Confirm the output:

**done**
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Restart Nginx and confirm https://anything.domain.com is working.

The script outlined in the docs does use Dehydrated.

I'm no expert, nor am I a 100% sure this is the correct way to do this, but it worked for me.

 

[ad5ou]

Wildcard is easiest way if you have ability to use a script for your particular DNS provider.

An alternative way is to add each domain or sub domain to the certificate. When running the dehydrated/letsencrypt script, just add each domain name to command
letsencrypt.sh Pbx.domain.com customer.domain.com customer2.domain.com etc etc

 

[s2svoip]

I just went with a wildcard cert, but I did not realize it does not auto renew, I will have to look into that, or just put a reminder in every 3 months

 

[Adrian Fretwell]

I just went with a wildcard cert, but I did not realize it does not auto renew, I will have to look into that, or just put a reminder in every 3 months

We automatically renew wildcard certificates. We manage our own DNS servers so that does make things a little easier. But basically we run Dehydrated from a cron job:

root@dnsp1:~# crontab -l
# min hour dayofmonth month dayofweek cmd
30 2 * * 1 cd /opt/dehydrated; ./dehydrated -c > /dev/null 2>&1

Then have a shell script specified as a hook in /etc/dehydrated/config:

CHALLENGETYPE="dns-01"
BASEDIR=/etc/dehydrated/live
HOOK=/usr/local/bin/dnsupdacmechallenge.sh

The hook file contains several shell functions that are called by Dehydrated during the certificate renewal process. There is an example hook file here: https://github.com/lukas2511/dehydrated/blob/master/docs/examples/hook.sh

You can pretty much get the hook script to do anything that you would do at the command line, so if you can manage your DNS with ssh/sftp etc. then you can create a hook script to correctly deploy a verification challenge to your DNS zone file.