We’ve got some revolutionary VoIP projects coming your way over the next several weeks, but I’m sorry to say the hardest part of them is getting your server configured to use secure and encrypted web communications via HTTPS. This is quickly becoming a universal requirement of most of the major technology players. So what might not be the most glamorous VoIP topic for a Monday morning is not only necessary but long overdue. The good news is that obtaining, installing, configuring, and maintaining an SSL certificate for your VoIP server is not the royal pain that it once was. And, by this time next week, you’ll be glad you went through the exercise. Thankfully, the EFF’s Certbot project is available to assist in installing free certificates from Let’s Encrypt.
Before we begin, here’s a word to the wise. You will save yourself a thousand headaches by deploying your Incredible PBX server in the cloud where you get a dedicated IP address and can easily assign a fully-qualified domain name (FQDN) to your server. Options now are available for as little as $1.50 to $3.50/month including Vultr which provides an incredibly reliable platform in many cities for as little as $2.50 a month. And another 50¢ buys you weekly image backups without lifting a finger. They can be restored with one click! If reliability and redundancy matter, you can’t beat Vultr’s price or the feature set, and we have tutorials to get you started with either Wazo or Issabel. If cost is your sole criteria, you can’t beat WootHosting at $1.50 a month. You’ll find a tutorial here. If performance is critical, you can’t beat OVH at $3.50/month with a Wazo tutorial here and an Issabel tutorial here. Finally, if you’re technically challenged, our corporate sponsor, RentPBX, will do all of the cloud migration for you and provide a turnkey, high performance VoIP platform for just $15/month. So what are you waiting for? Now’s the time. No excuses! It’s not going to get any cheaper or more reliable. And next week you’ll be thanking us. For these reasons, we’re saying goodbye our home-based servers sitting behind NAT-based firewalls. With the projects coming down the pike, the mountain is just too steep to continue that trek unless you have the technical expertise to pull it off yourself.
Obtaining and Installing an SSL Certificate
For CentOS 6 running Incredible PBX 13 or CentOS 7 running Incredible PBX for Issabel 4, begin by making certain that you can access your site using its FQDN with HTTP, e.g. http://myserver.mydomain.org. Get that working first. Next, log into your server as root using SSH/Putty and issue the following commands:
yum -y install python-devel python-pip python-setuptools python-virtualenv --enablerepo=epel yum -y install centos-release-scl yum -y install python27 scl enable python27 bash pip -V # should show python 2.7 pip install --upgrade pip pip install requests registry urllib3 pyOpenSSL --force --upgrade pip install certbot-apache --force --upgrade cd /root wget https://dl.eff.org/certbot-auto chmod a+x certbot-auto service iptables stop ./certbot-auto --authenticator webroot --installer apache -w /var/www/html -d FQDN.here iptables-restart service httpd restart exit
During the automated setup, you can decide whether to force all web traffic to the secure site. We recommend it. Once the install finishes, test access to your server by going to your FQDN using HTTPS. Don’t continue with the setup until you get HTTPS working and your browser shows you have a SECURE site! Remember that you must renew your free certificate every 90 days by using the following /root/certbot-update script:
#!/bin/bash echo "Before you begin, type: scl enable python27 bash" echo "Then rerun this update script and press ENTER." read -p "If you already have done so, press Enter. Otherwise, Ctrl-C now" service iptables stop ./certbot-auto --authenticator webroot --installer apache -w /var/www/html -d FQDN.here iptables-restart echo "Type exit when this script completes." exit
For Debian 8 running Incredible PBX for Wazo, things are a bit more complicated because Wazo forces HTTPS access even though you do not yet have a certificate for your FQDN. Because of its NGINX web server platform, with Wazo you’ll have to manually install and configure certificates with certbot and LetsEncrypt. The silver lining with Wazo is HTTPS access gets you a WebRTC phone with a couple button clicks. Go to this link, click on the Config wheel (bottom right), click on the Pencil icon and plug in the FQDN of your server. Click SAVE. Enter your login name as 701 and the password assigned to the extension which you can obtain by running: /root/show-701-pw. That’s probably the quickest phone setup you’ll ever find. But we’re getting ahead of ourselves…
1. Let’s get certbot installed. Login to your server as root using SSH or Putty and issue the following commands:
cd /etc/apt echo "deb http://ftp.debian.org/debian jessie-backports main" >> sources.list apt-get update apt-get install certbot -t jessie-backports
2. Temporarily, turn off HTTPS since the certificate install requires HTTP access. In /etc/nginx/sites-enabled/xivo, comment out these 3 lines and save the updated file:
In server section for port 80: # include /etc/nginx/locations/http-enabled/*; In server section for port 443: # listen 443 default_server; # server_name $domain;
Then restart the web server: /etc/init.d/nginx restart. Now you have a basic http web server. If you want to verify that it’s working, use a browser and go to http://YOUR-FQDN/asteridex4/index.php. It should download the file to your desktop which isn’t desirable, but this is only temporary.
3. In /var/www/html, issue the following commands:
cd /var/www/html mkdir .well-known cd .well-known mkdir acme-challenge cd acme-challenge chown -R asterisk:www-data /var/www/html/.well-known
Leave this SSH/Putty session running temporarily and open a second SSH/Putty connection to your server logging in as root.
4. Disable your firewall temporarily: /etc/init.d/netfilter-persistent flush
5. Start the certbot installation script: certbot certonly –manual
6. You’ll be prompted for the FQDN of your server to generate the certificates. Then you’ll be given an oddball name AND an expected oddball response. With these two entries in hand, temporarily switch back to your other SSH session and issue these commands while positioned in /var/www/html/.well-known/acme-challenge:
mkdir ODDBALL-NAME cd ODDBALL-NAME echo "ODDBALL-RESPONSE > index.html" chown -R asterisk:www-data /var/www/html/.well-known
7. Use a browser to (quickly) go to http://YOUR-FQDN/.well-known/acme-challenge/ODDBALL-NAME/ and be sure your web server displays the expected ODDBALL-RESPONSE. You’ve got to get this working before you continue with the certbot install or it will fail. You only have a few minutes to do this before certbot will change the ODDBALL-NAME and ODDBALL-RESPONSE credentials. 3 consecutive failures and you have to wait an hour to try again. Guess how we know?
8. Once you get the expected response, switch back to your SSH session running the certbot installer and press ENTER to continue with the certificate install. When it completes, you’ll get a congratulatory note and a reminder that, in less than 90 days, you’ll need to run certbot renew to update your certificate.
9. Install the new certificates in NGINX and put things back together again:
cd /etc/nginx/sites-enabled nano -w xivo
10. Begin by removing the 3 # signs that we inserted to get HTTP working in step #2.
11. Near the bottom of the file, comment out these existing certificate lines:
# ssl_certificate /usr/share/xivo-certs/server.crt; # ssl_certificate_key /usr/share/xivo-certs/server.key; # ssl_ciphers ALL:!aNULL:!eNULL:!LOW:!EXP:!RC4:!3DES:!SEED:+HIGH:+MEDIUM;
12. Add the following new lines just below the lines you commented out. Be sure to replace YOUR.FQDN in each line with the actual FQDN of your server:
ssl_certificate /etc/letsencrypt/live/YOUR.FQDN/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/YOUR.FQDN/privkey.pem; ssl_ciphers HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA;
13. Save the file and then restart your firewall and NGINX:
iptables-restart /etc/init.d/nginx restart
14. Edit /etc/apt/sources.list and comment out the jessie-backports line from step #1.
15. Reload your aptitude sources: apt-get update
16. Remember that you must renew your free certificate every 90 days by issuing this command: certbot renew --quiet
.
Better yet, issue the following command to set up a cron job to auto-renew your certificate every week:
echo "5 3 * * 0 root /usr/bin/certbot renew --quiet > /dev/null 2>&1" >> /etc/crontab
17. Test things out with a web browser by visiting your FQDN. Your browser should now show the site as SECURE.
18. Now try out that new WebRTC phone.
Published: Monday, September 25, 2017
Need help with Asterisk? Visit the PBX in a Flash Forum.
Special Thanks to Our Generous Sponsors
FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.
BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.
The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.
VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
Some Recent Nerd Vittles Articles of Interest…
The folks from Let’s Encrypt recommend running the "certbot renew" daily, or even twice a day. It will check your existing certificate, and only process the renewal if the cert is valid for less than 30 days. If a renewal attempt fails, it will try again the next day.