Page 1 of 1

vicibox-ssl in a cluster

PostPosted: Wed Jun 08, 2022 2:25 pm
by xoy74
I am setting up a Vicibox cluster with separate DB, Web server and telephony servers.
I've used vicibox-ssl previously in a vicibox-express environment, but when it comes to the cluster I am not clear where do I need to run it. I would assume it's on the web server, but how do the asterisk servers get their certificates ?
Many thanks in advance for any pointers.

Re: vicibox-ssl in a cluster

PostPosted: Wed Jun 08, 2022 3:22 pm
by williamconley
1) Welcome to the Party! 8-)

2) As you are obviously new here, I have some suggestions to help us all help you:

When you post, please post your entire configuration including (but not limited to) your installation method (7.X.X?) and vicidial version with build (VERSION: 2.X-XXXx ... BUILD: #####-####).

This IS a requirement for posting along with reading the stickies (at the top of each forum) and the manager's manual (available on EFLO.net, both free and paid versions)

You should also post: Asterisk version, telephony hardware (model number is helpful here), cluster information if you have one, and whether any other software is installed in the box. If your installation method is "manual/from scratch" you must post your operating system with version (and the .iso version from which you installed your original operating system) plus a link to the installation instructions you used. If your installation is "Hosted" list the site name of the host.

If this is a "Cloud" or "Virtual" server, please note the technology involved along with the version of that techology (ie: VMware Server Version 2.0.2). If it is not, merely stating the Motherboard model # and CPU would be helpful.

Similar to This:

Vicibox X.X from .iso | Vicidial X.X.X-XXX Build XXXXXX-XXXX | Asterisk X.X.X | Single Server | No Digium/Sangoma Hardware | No Extra Software After Installation | Intel DG35EC | Core2Quad Q6600

3) Each server should be running Web. Apache is the easiest automated method to acquire ssl, and unless you want to jump through some hoops, having apache on each server so each server can renew (and acquire) its own cert is the simplest method available.

4) We have our own "SSL Server" which manages the SSL certificates on many servers. Some don't have web at all (such as email servers), some are too old for the SSL auto-update software to run, so they reach out to our SSL Server for renewals. But that's not for the fainthearted. This also allows us to update ONE server whenever the certificate software requires upgrading, instead of hundreds.

5) However: If you're NOT running web services on the server ... do you NEED an SSL certificate? WebRTC is still Web (apache) based. Aside from WebRTC and Apache for the admin/agent web interfaces, what would you require ssl certification for?

Re: vicibox-ssl in a cluster

PostPosted: Thu Jun 09, 2022 7:57 pm
by xoy74
Thanks very much for the reply William.
The servers are all new installs, from the ViciBox_v10.x86_64-10.0.0 ISO. One database, one Web, one Asterisk (there will be more Asterisk servers, but for the time being just the one).
Unfortunately I didn't find much about the topic in the Manager manual (I have purchased the paid version).
My understanding is that the vicibox-ssl script is a new addition to ViciBox 10. I've used it on a test server that had everything-in-one box, but from what I can tell it needs to change the configuration of the Apache web server (obviously) as well as the Asterisk configuration in order to use the WebRTC ViciPhone. That's where my confusion comes from, how to get all of those synced up.

Re: vicibox-ssl in a cluster

PostPosted: Mon Jun 13, 2022 12:12 pm
by williamconley
The certbot (and certbot auto) packages are not part of Vicidial, although Vicibox may pre-install one of the available versions. Practice with it in your virtual installed machine. The softtware will run directly on each machine, and may make it into a manual some day ... but the certbot system is under constant attack and changes happen often. Old systems are not supported for long. So putting anything about LetsEncrypt in a manual could backfire quickly.

Certbot is a very powerful little package and CAN reconfigure apache automatically for you, when used as directed.

Re: vicibox-ssl in a cluster

PostPosted: Tue Jun 14, 2022 9:27 am
by xoy74
That's why I mentioned I used ViciBox 10 and vicibox-ssl. The vicibox-ssl script does come preinstalled on ViciBox 10 as a replacement for certbot.

Re: vicibox-ssl in a cluster

PostPosted: Tue Jun 14, 2022 12:26 pm
by williamconley
xoy74 wrote:That's why I mentioned I used ViciBox 10 and vicibox-ssl. The vicibox-ssl script does come preinstalled on ViciBox 10 as a replacement for certbot.

We don't use it. But I'm willing to bet that if you look under the hood, you'll find that vicibox-ssl-script is a manager for certbot. In the end, knowing how to use certbot makes life much simpler. It's not really a challenging tool, but it requires a web service for automation. Don't get me wrong, in theory DNS confirmation could probably be automated, but web service is the reason most facilities use certbot in the first place, so web services are used in automating validation.