The new Vicibox 8.1 Certbot
Posted: Mon Sep 24, 2018 9:15 am
Certbot SSL setup - /usr/local/bin/vicidial-certbot
- You need a FULLY QUALIFIED DOMAIN NAME (FQDN), I.E. vicibox.somedomain.com
- SSL only works with internet IPs in general
- LetsEncrypt SSL certs expire after 90 days, but will set a crontab entry for you
- Updates apache and asterisk for you
- Attempts to do some basic network checks, but it's not super strict
- If you don't have a static IP, you will need to update the DNS for your FQDN when it changes, otherwise this will just break
- Not the most foolproof script, but it works
Long story short you need to be able to go to http://vicibox.somedomain.com from your couch at home and be able to log into the ViciBox web interface across the internet before certbot will even begin to work. Once the web interface is up and the FQDN is correct, certbot will work just fine.
I ran:
cd /usr/local/bin
./vicibox-certbot
First thing i noticed that certbot can't provide a cert because i had closed off allowed services http and https in yast. We also had this problem on our servers before and created a special script for it that opens and closes the firewall ports when issueing a new certificate and renewing. Does Vicibox 8.1 have something similar?
After i opened those ports i succesfully installed a certificate and allowed the script to configure all the needed parts. But when i visit the URL with https:// i get this error: NET::ERR_CERT_COMMON_NAME_INVALID
This is what i see in the apache error log:
[Mon Sep 24 16:02:37.387192 2018] [ssl:warn] [pid 1149] AH01906: corpnew.vicihost.com:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Mon Sep 24 16:02:37.387211 2018] [ssl:warn] [pid 1149] AH01909: corpnew.vicihost.com:443:0 server certificate does NOT include an ID which matches the server name
And i don't see any vhost with my FQDN in /etc/apache2/vhosts.d