Page 1 of 1

SSL certificate couldn’t be generated

PostPosted: Thu Jul 11, 2024 7:08 am
by d001
Hello,

I hope this message finds you well! I am currently working on configuring a Vicidial server for making calls in my country.
I have configured the server for inbound and outbound calls, and everything works fine so far. However, I have encountered several
problems creating an SSL certificate because I want to configure ViciPhone on my server.

I created a subdomain (DNS record) for my server on ScalaHosting, but when I try to generate the certificate, it isn't possible.

Here is the path I followed:

-Edit manually Yast LAN

Step 1: Set the server IP address and domain with nano /etc/hosts
Step 2: Set the domain with nano /etc/hostname

-Edit Apache configuration

Step 1: Update 0000-default.conf and set the subdomain at ServerName with nano /etc/apache2/vhosts.d/0000-default.conf
Step 2: Set the subdomain at ServerName with nano /etc/apache2/vhosts.d/0000-default-ssl.conf
Step 3: service apache2 reload
Step 4: apachectl configtest
Output: Syntax OK

-Install SSL certificate

Step 1: vicibox-ssl
The ViciBox free SSL setup script provides the following instructions:
Please make sure you have a Fully Qualified Domain Name pointed at this server.
For example, if the FQDN of this server was 'vicibox.vicidial.com' and was
properly directed at this server, you should be able to log into Vicidial at
http://vicibox.vicidial.com

What is your email address: xxx@xxxxxxx.com
What is your Fully Qualified Domain Name (FQDN): xx.xxxxxxx.com
The Server IP (192.xxx.x.xxx) and the detected remote IP (xx.xx.xx.13)
do not match! This will cause the SSL certificate challenge to fail
authentication. Please double-check that your FQDN matches your IP.

Do you want to continue with the SSL setup? (N/y): y

E-Mail: xxx@xxxxxxx.com
FQDN: xx.xxxxxxx.com

Do you want to generate an SSL certificate now? (N/y): y
Using CA: https://acme-v02.api.letsencrypt.org/directory
Creating domain key
The domain key is here: /root/.acme.sh/xx.xxxxxxx.com_ecc/xx.xxxxxxx.com.key
Single domain='xx.xxxxxxx.com'
Getting webroot for domain='xx.xxxxxxx.com'
Verifying: xx.xxxxxxx.com
Pending, The CA is processing your order, please just wait. (1/30)
Invalid status, xx.xxxxxxx.com: Verify error detail: no valid A records found for xx.xxxxxxx.com; no valid AAAA records found for xx.xxxxxxx.com
Please add '--debug' or '--log' to check more details.
See: https://github.com/acmesh-official/acme ... ug-acme.sh
Doing fixup for acme.sh _ecc weirdness!
mv: cannot move '/root/.acme.sh//xx.xxxxxxx.com_ecc' to '/root/.acme.sh//xx.xxxxxxx.com/xx.xxxxxxx.com_ecc': Directory not empty

acme.sh was unable to verify your FQDN reaches this server and was unable
to generate a valid SSL certificate. Please check your firewall settings,
DNS entries, and Apache for any possible issues. You can re-run this script
to test if the issue is resolved.

Then it blocked my URL and the server IP, which means I can't access the server through the browser.
The only way to access it was to add something after .conf in those files: 0000-default-ssl.conf and 0000-default.conf.

As I have Googled it, I think the problem comes from the DNS. The IP address in my A record is for a private IP address,
but I don't understand how to fix it. I'm new here.
I would be thankful for any help.

ViciBox v.11.0.1
VERSION: 2.14-706c
BUILD: 240429-2237
Asterisk 16.30.0-vici

Re: SSL certificate couldn’t be generated

PostPosted: Fri Jul 12, 2024 3:09 pm
by williamconley
Thank you for posting both your Vicibox installer full version AND your Vicidial version with build!

The error message states that ACME could not find your IP address from the provided domain name.

If ACME looks up xx.xxxxxxx.com and does not get your IP address, they can not and will not issue a security certificate to you.

ACME must (a) be able to get an IP address and (b) go to that IP address (which should be the IP address of your server) and retrieve a document set up by the ".sh" script running on the server. If you do not own the domain, of course you can not make this happen. Thus, they assume you do not own the domain and fail the request.

This means that the domain must be pointed to your server and ACME must have access to that IP and get the required response. The .sh script running will have reached out to request that this process start, and it will get a response that include the html document that your server MUST provide upon demand directly to the ACME servers. Without access directly to the server that document will never be provided.

Now: Since the A record is a private network, this will NEVER work. An SSL certificate from ACME must always be issue to a public IP address. We have workarounds for this, but ALL those include (at some point) a public IP address with the domain in question pointed to that public IP addres.

Best method is to open port 80 through your firewall directly to the Vicidial server. You can certainly close that port upon completion of the setup! You'll also need to (temporarily) point the domain name to the public IP outside your firewall.

Remember that once issued, it's good for 90 days. You can change the IP to your public IP at that point. The SSL certificate is valid for the server. It is NOT linked to the IP address. Also don't give it to anyone, lol.

Re: SSL certificate couldn’t be generated

PostPosted: Mon Jul 15, 2024 2:56 am
by d001
Hello Williamconley,

Sorry for the late response, but I haven't checked my account because I thought I wouldn't get any response.

First, thank you so much for your time, I appreciate it. Second, I changed the IP of my subdomain to my remote public IP and created a port forward (NAT) in my MikroTik router to forward requests on port 80 to my server IP. However, when I search my subdomain in the browser 'xx.xxxxxxx.com,' it loads as http://xx.xxxxxxx.com/vicidial/welcome.php, takes a long time to load, and then displays "The connection has timed out." Maybe this isn't the right solution, but I haven't tried your solution yet. I'll text you after I try it. Thanks a lot.

Re: SSL certificate couldn’t be generated

PostPosted: Thu Jul 18, 2024 4:57 am
by d001
Hello again!

The problem is resolved.
First, I change the IP of the subdomain from private to public, then open port 80:

Code: Select all
sudo firewall-cmd --permanent --add-port=80/tcp
sudo firewall-cmd --reload
sudo firewall-cmd --list-all


In the file 0000-default-ssl.conf, add:
Code: Select all
ServerAlias www.xxx@xxxxxxx.com


Use the following commands to check the DNS records:
Code: Select all
nslookup xxx@xxxxxxx.com
dig xxx@xxxxxxx.com


Check the status of Apache, stop it, and create a certificate:
Code: Select all
vicibox11:~ # sudo systemctl status apache2.service
vicibox11:~ # sudo systemctl stop apache2

vicibox11:~ # sudo certbot certonly --standalone -d xxx@xxxxxxx.com
vicibox11:~ # sudo nano /etc/apache2/vhosts.d/0000-default-ssl.conf

Restart Apache:
Code: Select all
vicibox11:~ # sudo systemctl restart apache2


If the certificate lines are not generated automatically in 0000-default-ssl.conf, add them manually.
Replace xxx@xxxxxxx.com with your domain:
Code: Select all
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/xxx@xxxxxxx.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/xxx@xxxxxxx.com/privkey.pem


Remember to install Certbot first.
After the certificate is generated, use these commands to see if the server is reachable:
This will show HTTP/1.1 200 OK.
Code: Select all
curl -I http://xxx@xxxxxxx.com


This command will show you the HTML script of the Vicidial welcome page.
Code: Select all
curl http://xxx@xxxxxxx.com/vicidial/welcome.php


Test the Apache configuration:
Code: Select all
vicibox11:~ # sudo apachectl configtest
Syntax OK

After the certificate is created, change the public IP (my remote IP) in the subdomain to the private IP (server IP).
It may take 8-24 hours for the DNS propagation to complete.

Now it works for me!

Re: SSL certificate couldn’t be generated

PostPosted: Thu Jul 18, 2024 11:39 am
by williamconley
d001 wrote:Hello again!

The problem is resolved.
First, I change the IP of the subdomain from private to public, then open port 80:

...

Now it works for me!


Brilliant Postback. 8-)