Using CertBot/LetsEncrypt with ViciBox v.8

Support forum for the ViciBox ISO Server Install and ISO LiveCD Demo

Moderators: enjay, williamconley, Staydog, mflorell, MJCoate, mcargile, Kumba

Using CertBot/LetsEncrypt with ViciBox v.8

Postby Kumba » Thu Sep 28, 2017 2:40 pm

These instructions are for ViciBox v.8.0.1 or higher as that has a corrected Apache SSL config. If you apply the SSL bugfix for a corrected SSL apache config then these should work for you too. I am not going to go over how SSL works and all the pitfalls of setting it up. You will need a Fully Qualified Domain Name that resolves to the Internet IP address of your web server. SSL typically will not work with private IP addresses. Your web server need to be up and running before any of this will work, so I would suggest doing this after initially setting up the cluster.

For more on LetsEncrypt and CertBot feel free to browse their website here: https://letsencrypt.org/

First you need to modify the file /etc/certbot/cli.ini. Here's what you need to modify or verify:
1) Uncomment and make sure the 'email =' section is set to your valid email. This is what ties the SSL certificates to you for management.
2) Uncomment and put the Fully Qualified Domain Name (FQDN) into the 'domains =' section.
3) Uncomment the line 'agree-tos = True'
4) Uncomment the line 'renew-by-default = True'
5) Uncomment the 'authenticator =' line and change it from standalone to webroot, I.E. 'authenticator = webroot'
6) Uncomment the 'webroot-path = /srv/www/htdocs' line
7) Comment out the staging 'server =' line and uncomment the production 'server =' line.

After this, you need to make sure you can successfully generate an SSL certificate before continuing to modify Apache configs. If you modify Apache and cannot get an SSL cert issued then Apache will error and refuse to start. You can run certbot by running 'certbot certonly --webroot'. In the output it should say that the SSL was successfully issued. Only once you have successfully gotten an SSL cert issued should you continue with the next set of instructions.


Once you have the SSL cert issued, you need to modify the file /etc/apache2/vhosts.d/1111-default-ssl.conf to reflect where the new SSL certs will be. Replace <FQDN> with the actual fully qualified domain name, I.E. http://www.vicibox.com, etc:
1) Change the SSLCertificateFile line to read: SSLCertificateFile /etc/certbot/live/<FQDN>/cert.pem
2) Uncomment and change the SSLCertificateChainFile line to read: SSLCertificateChainFile /etc/certbot/live/<FQDN>/fullchain.pem
3) Change the SSLCertificateKeyFile line to read: SSLCertificateKeyFile /etc/certbot/live/<FQDN>/privkey.pem
4) service apache2 restart

After that, you should be able to go to https://<FQDN> and successfully reach your ViciDial server.

The last thing to do is to set certbot to automatically renew the SSL certificate before it expires. This is done with some simple crontab entries like the following:
--------
### Renew SSL certificate monthly
0 5 1 * * /usr/bin/certbot certonly > /var/log/certbot.log
5 5 1 * * /usr/sbin/apache2ctl -k graceful >/dev/null 2>&1
--------
This will cause Certbot to renew the certificate at 5am on the 1st day of the month, and then reload the Apache configuration 5 minutes after. That way you will always have a valid certificate. If you do not do this, then the certificate will expire in a few months. I believe letsencrypt gives you 60 days for each cert, however I'm sure someone will correct me if I'm wrong. Regardless, the certs should be checked monthly. If a renewal is not needed, then certbot will simply exit and apache will harmlessly reload.


Also if you are using CertBot for WebRTC/WSS, then you need to edit the /etc/asterisk/http.conf file to reflect the new cert.
Here's the things to set:
1) Uncomment 'enabled=yes'
2) Uncomment and change 'bindaddr=0.0.0.0'
3) Uncomment 'bindport=8088'
4) Uncomment 'tlsenable=yes'
5) Uncomment 'tlsbindaddr=0.0.0.0:8089'
6) Uncomment and change 'tlscertfile' to read: tlscertfile=/etc/certbot/live/<FQDN>/cert.pem
7) Uncomment and change 'tlsprivatekey' to read: tlsprivatekey=/etc/certbot/live/<FQDN>/privkey.pem
Kumba
 
Posts: 648
Joined: Tue Oct 16, 2007 11:44 pm
Location: Florida

Re: Using CertBot/LetsEncrypt with ViciBox v.8

Postby frequency » Fri Sep 29, 2017 9:04 am

Hi,

This can be done for Vici v7 as well? Using v7 on multiple servers with SVN version 2808 which is pretty new.

Thanks
frequency
 
Posts: 44
Joined: Mon Jun 13, 2016 11:18 am

Re: Using CertBot/LetsEncrypt with ViciBox v.8

Postby Kumba » Fri Sep 29, 2017 2:17 pm

The OS is EOL for ViciBox v.7. If you can get certbot to install and run then sure. It needs quite a few python modules which might not be installable anymore.
Kumba
 
Posts: 648
Joined: Tue Oct 16, 2007 11:44 pm
Location: Florida

Re: Using CertBot/LetsEncrypt with ViciBox v.8

Postby turabaq » Thu Oct 05, 2017 1:10 pm

Can you help me with this error? My web dialer gets stuck at "connecting..."
After looking around in the browser console, I found this exception:
exception {code: 1, name: "CONFIGURATION_ERROR", parameter: "uri", value: "@", message: "Invalid value "@" for parameter "uri""}

It seems sip-0.7.8.js does not receive a "uri" because vici_phone.js is not supplying sip-0.7.8.js with a proper "sip_uri". Because of this, all that sip-0.7.8.js received is a "@" sign, which is being initialized in the phone1.viciphone.com iframe.

Can you please help.
turabaq
 
Posts: 4
Joined: Wed Aug 09, 2017 3:49 am

Re: Using CertBot/LetsEncrypt with ViciBox v.8

Postby Kumba » Thu Oct 05, 2017 4:45 pm

You need to making a posting in the 'development' section for the ViciPhone WebRTC. I'm not familiar with the background config or debugging of that but Mike is, specially since he wrote it. He's already got a thread over there so you can add that to one or start your own.

If you can go to https://fqdn and your browser successfully connect via SSL then there's not much else I can help with. How the WebRTC ViciPhone and WSS do their thing together is Mike's specialty. I'd just have to ask him to give you an answer anyways so might as well get it direct. :)

turabaq wrote:Can you help me with this error? My web dialer gets stuck at "connecting..."
After looking around in the browser console, I found this exception:
exception {code: 1, name: "CONFIGURATION_ERROR", parameter: "uri", value: "@", message: "Invalid value "@" for parameter "uri""}

It seems sip-0.7.8.js does not receive a "uri" because vici_phone.js is not supplying sip-0.7.8.js with a proper "sip_uri". Because of this, all that sip-0.7.8.js received is a "@" sign, which is being initialized in the phone1.viciphone.com iframe.

Can you please help.
Kumba
 
Posts: 648
Joined: Tue Oct 16, 2007 11:44 pm
Location: Florida

Re: Using CertBot/LetsEncrypt with ViciBox v.8

Postby williamconley » Sat Oct 14, 2017 10:25 am

Kumba wrote:The OS is EOL for ViciBox v.7. If you can get certbot to install and run then sure. It needs quite a few python modules which might not be installable anymore.

We've used it on v7 several times. There's more than one way to install it.
Vicidial Installation and Repair, plus Hosting and Colocation
SugarCRM integration - Customization and Add-ons - We Bring It All Together.
http://www.PoundTeam.com # 352-269-0000 # +44 (203) 769-2294 # +506 4001-8914
williamconley
 
Posts: 16681
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

Re: Using CertBot/LetsEncrypt with ViciBox v.8

Postby sajeel » Tue Dec 05, 2017 12:20 pm

getting the below error in Chrome dev console.

WebSocket connection to 'wss://domain.com:8089/ws' failed: Error in connection establishment: net::ERR_CONNECTION_REFUSED

All the certificates are properly installed.

Asterisk is not listening to port 8089
Code: Select all
netstat -ln | grep 8089 is not returning any output
sajeel
 
Posts: 2
Joined: Fri Nov 17, 2017 3:47 pm


Return to ViciBox Server Install and Demo

Who is online

Users browsing this forum: Majestic-12 [Bot] and 7 guests