Note |
---|
Applies to VoipNow 35.5.7 0 and higher installed on CentOS Linux 8! |
Let's Encrypt is a free, open initiative to provide SSL certificates for websites with the purpose of enabling the adoption of encrypted communications. It's completely free (for now, at least) and you can use it with VoipNow following the steps described below.
...
Before you start, make sure you know your VoipNow server's DNS hostname and IP address. Also, ensure check that your DNS is correctly configured and pointing to your VoipNow server's server IP address.
This guide will use sip.voipnowserver.com
and 172.173.174.175
as place holders for your VoipNow host name and IP address. Make sure to replace them with the correct values.
Download the required files
If you are still using CentOS 6This KB article will assume the EPEL repo is not installed and enabled on the current machine. For installing Certbot, you need to install the EPEL repo for Let's Encrypt to work. For that you need to repo and for that run the following command. In case EPEL is already installed, you can skip to the second step and install Certbot.
Shell |
---|
# yum -y install epel-release |
Install the Certbot rpm file.
Shell |
---|
yum -y install certbot |
Download the Let's Encrypt files using Git:
Code Block |
---|
# git clone https://github.com/letsencrypt/letsencrypt
Cloning into 'letsencrypt'...
remote: Counting objects: 33428, done.
remote: Compressing objects: 100% (5/5), done.
remote: Total 33428 (delta 0), reused 0 (delta 0), pack-reused 33423
Receiving objects: 100% (33428/33428), 8.80 MiB | 2.68 MiB/s, done.
Resolving deltas: 100% (23745/23745), done.
Checking connectivity... done. |
Stop the web interface
Note |
---|
In order to run the certificate generation scripts, you need to stop the web interface. |
Run the following command:
Shell |
---|
# service voipnow stop |
Disable the srvmonitor cron task by running the command below
Shell |
---|
# crontab -e |
and place a #
character in front of the line containing srvmonitor.
start
For the sake of simplicity, we will export an environment variable that will hold the actual name of the domain for which a SSL certificate will be generated. This can be easily, done by running the following command:
Shell |
---|
DOMAIN='sip.voipnowserver.com' |
Now we are ready to run Certbot and create the SSL certificate for the domain contained in the ${DOMAIN} variable defined above. Here is the command:
Shell |
---|
certbot --standalone certonly --pre-hook='systemctl stop crond && service httpsa stop && cp -p /etc/voipnow/certs/http.pem /etc/voipnow/certs/http.pem.bkp' --post-hook="cat /etc/letsencrypt/live/${DOMAIN}/privkey.pem /etc/letsencrypt/live/${DOMAIN}/fullchain.pem > /etc/voipnow/certs/http.pem && service httpsa start && systemctl start crond" -d ${DOMAIN}
|
You might
Run the Let's Encrypt script
Shell |
---|
# cd letsencrypt
# ./letsencrypt-auto certonly -a standalone -d sip.voipnowserver.com hecking for new version... Creating virtual environment... Installing Python packages... Installation succeeded. Requesting root privileges to run letsencrypt... /root/.local/share/letsencrypt/bin/letsencrypt certonly -a standalone -d sip.voipnowserver.com DeprecationWarning Version: 1.1-20080819 Version: 1.1-20080819
|
At this point, you will be prompted to provide a valid email address and accept the legal terms. Proceed as required , and the script should continue. At the end, you will see something like this:
Code Block |
---|
IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/sip.voipnowserver.com/fullchain.pem. Your cert key file has been saved at: /etc/letsencrypt/live/sip.voipnowserver.com/privkey.pem Your certificate will expire on 20162021-06-2614. To obtain a new or tweaked version of the this certificate in the future, simply run Let's Encryptcertbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Let's EncryptCertbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le |
Back up the old SSL certificate
The above command has two important sections defined by the pre-hook and post-hook parameters. In order to generate a certificate you must stop the web interface of the server making sure that it doesn't get started by the monitoring script. This is achieved in the pre-hook section:
Code Block |
---|
systemctl stop crond
service httpsa stop
|
Shell |
# cp -p /etc/voipnow/certs/http.pem /etc/voipnow/certs/http.pem.bkp |
Copy the new certificate and key
There are 3 actions that are executed before the actual certificate generation starts. These are:
- Stop the crond daemon for being sure that the srvmonitor script will not start the web interface service during the certificate generation.
- Stop the web interface, httpsa process.
- Make a backup copy of the existing SSL certificate.
At the end of the process we have a valid SSL certificate that must be installed before starting the web interface. These steps are done in the post-hook section, as follows:
Code Block |
---|
cat |
Shell |
# cd /etc/letsencrypt/live/sip.voipnowserver.com/# cat ${DOMAIN}/privkey.pem /etc/letsencrypt/live/${DOMAIN}/fullchain.pem > /etc/voipnow/certs/http.pem |
Start the web interface
Shell |
---|
# service voipnow start |
Check if you can access the web interface and ensure that the SSL connection information is correct.
Tip |
---|
Look for a green padlock next to the web address in your browser. |
If everything's OK, run the command below again
Shell |
---|
# crontab -e |
and remove the #
sign placed in front of the srvmonitor
command.
service httpsa start
systemctl start crond |
The same as the pre-hook section, we have 3 actions that are automatically executed at the end of the process. These are as follow, in this order:
- Assemble the SSL certificate by copying the generated files, private key and SSL certificate, in the file used by the VoipNow web interface for loading the SSL certificate.
- Start the web interface, the httpsa process like in the previous section.
- Start the crond daemon.
Let's check the SSL certificates
This can be easily done by running the following command:
Shell |
---|
certbot certificates |
The output of the above command contains all the information about the existing certificate, including the expiry date. This way, we know when we have to renew the SSL certificate:
Code Block |
---|
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
Certificate Name: sip.voipnowserver.com
Serial Number: 34c43ee6cf18b9dd868fd5316f2d92176ca
Key Type: RSA
Domains: sip.voipnowserver.com
Expiry Date: 2021-06-14 08:52:43+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/sip.voipnowserver.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/sip.voipnowserver.com/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
|
Let's renew the expired SSL certificate
...
The free SSL certificates are valid for 90 days. The automatic renewal script provided by Let's Encrypt isn't fully compatible with the certonly
method.
...
In order to renew the existing certificates, just run the following command:
Shell |
---|
certbot renew |
In case the process succeeds, you will end up having a valid certificate, the pre-hook and post-hook actions will be also executed automatically by the renewal process.
Related articles
Content by Label | ||||||||
---|---|---|---|---|---|---|---|---|
|
...
Except where otherwise noted, content in this space is licensed under a Creative Commons Attribution 4.0 International.