Page 1 of 1

Using CertBot/LetsEncrypt with ViciBox v.8.0

PostPosted: Thu Sep 28, 2017 2:40 pm
by Kumba
These instructions are for ViciBox v.8.0.1 or higher as that has a corrected Apache SSL config. If you apply the SSL bugfix for a corrected SSL apache config then these should work for you too. I am not going to go over how SSL works and all the pitfalls of setting it up. You will need a Fully Qualified Domain Name that resolves to the Internet IP address of your web server. SSL typically will not work with private IP addresses. Your web server need to be up and running before any of this will work, so I would suggest doing this after initially setting up the cluster.

For more on LetsEncrypt and CertBot feel free to browse their website here: https://letsencrypt.org/

First you need to modify the file /etc/certbot/cli.ini. Here's what you need to modify or verify:
1) Uncomment and make sure the 'email =' section is set to your valid email. This is what ties the SSL certificates to you for management.
2) Uncomment and put the Fully Qualified Domain Name (FQDN) into the 'domains =' section.
3) Uncomment the line 'agree-tos = True'
4) Uncomment the line 'renew-by-default = True'
5) Uncomment the 'authenticator =' line and change it from standalone to webroot, I.E. 'authenticator = webroot'
6) Uncomment the 'webroot-path = /srv/www/htdocs' line
7) Comment out the staging 'server =' line and uncomment the production 'server =' line.

After this, you need to make sure you can successfully generate an SSL certificate before continuing to modify Apache configs. If you modify Apache and cannot get an SSL cert issued then Apache will error and refuse to start. You can run certbot by running 'certbot certonly --webroot'. In the output it should say that the SSL was successfully issued. Only once you have successfully gotten an SSL cert issued should you continue with the next set of instructions.


Once you have the SSL cert issued, you need to modify the file /etc/apache2/vhosts.d/1111-default-ssl.conf to reflect where the new SSL certs will be. Replace <FQDN> with the actual fully qualified domain name, I.E. http://www.vicibox.com, etc:
1) Change the SSLCertificateFile line to read: SSLCertificateFile /etc/certbot/live/<FQDN>/cert.pem
2) Uncomment and change the SSLCertificateChainFile line to read: SSLCertificateChainFile /etc/certbot/live/<FQDN>/fullchain.pem
3) Change the SSLCertificateKeyFile line to read: SSLCertificateKeyFile /etc/certbot/live/<FQDN>/privkey.pem
4) service apache2 restart

After that, you should be able to go to https://<FQDN> and successfully reach your ViciDial server.

The last thing to do is to set certbot to automatically renew the SSL certificate before it expires. This is done with some simple crontab entries like the following:
--------
### Renew SSL certificate monthly
0 5 1 * * /usr/bin/certbot certonly > /var/log/certbot.log
5 5 1 * * /usr/sbin/apache2ctl -k graceful >/dev/null 2>&1
--------
This will cause Certbot to renew the certificate at 5am on the 1st day of the month, and then reload the Apache configuration 5 minutes after. That way you will always have a valid certificate. If you do not do this, then the certificate will expire in a few months. I believe letsencrypt gives you 60 days for each cert, however I'm sure someone will correct me if I'm wrong. Regardless, the certs should be checked monthly. If a renewal is not needed, then certbot will simply exit and apache will harmlessly reload.


Also if you are using CertBot for WebRTC/WSS, then you need to edit the /etc/asterisk/http.conf file to reflect the new cert.
Here's the things to set:
1) Uncomment 'enabled=yes'
2) Uncomment and change 'bindaddr=0.0.0.0'
3) Uncomment 'bindport=8088'
4) Uncomment 'tlsenable=yes'
5) Uncomment 'tlsbindaddr=0.0.0.0:8089'
6) Uncomment and change 'tlscertfile' to read: tlscertfile=/etc/certbot/live/<FQDN>/cert.pem
7) Uncomment and change 'tlsprivatekey' to read: tlsprivatekey=/etc/certbot/live/<FQDN>/privkey.pem

Re: Using CertBot/LetsEncrypt with ViciBox v.8

PostPosted: Fri Sep 29, 2017 9:04 am
by frequency
Hi,

This can be done for Vici v7 as well? Using v7 on multiple servers with SVN version 2808 which is pretty new.

Thanks

Re: Using CertBot/LetsEncrypt with ViciBox v.8

PostPosted: Fri Sep 29, 2017 2:17 pm
by Kumba
The OS is EOL for ViciBox v.7. If you can get certbot to install and run then sure. It needs quite a few python modules which might not be installable anymore.

Re: Using CertBot/LetsEncrypt with ViciBox v.8

PostPosted: Thu Oct 05, 2017 1:10 pm
by turabaq
Can you help me with this error? My web dialer gets stuck at "connecting..."
After looking around in the browser console, I found this exception:
exception {code: 1, name: "CONFIGURATION_ERROR", parameter: "uri", value: "@", message: "Invalid value "@" for parameter "uri""}

It seems sip-0.7.8.js does not receive a "uri" because vici_phone.js is not supplying sip-0.7.8.js with a proper "sip_uri". Because of this, all that sip-0.7.8.js received is a "@" sign, which is being initialized in the phone1.viciphone.com iframe.

Can you please help.

Re: Using CertBot/LetsEncrypt with ViciBox v.8

PostPosted: Thu Oct 05, 2017 4:45 pm
by Kumba
You need to making a posting in the 'development' section for the ViciPhone WebRTC. I'm not familiar with the background config or debugging of that but Mike is, specially since he wrote it. He's already got a thread over there so you can add that to one or start your own.

If you can go to https://fqdn and your browser successfully connect via SSL then there's not much else I can help with. How the WebRTC ViciPhone and WSS do their thing together is Mike's specialty. I'd just have to ask him to give you an answer anyways so might as well get it direct. :)

turabaq wrote:Can you help me with this error? My web dialer gets stuck at "connecting..."
After looking around in the browser console, I found this exception:
exception {code: 1, name: "CONFIGURATION_ERROR", parameter: "uri", value: "@", message: "Invalid value "@" for parameter "uri""}

It seems sip-0.7.8.js does not receive a "uri" because vici_phone.js is not supplying sip-0.7.8.js with a proper "sip_uri". Because of this, all that sip-0.7.8.js received is a "@" sign, which is being initialized in the phone1.viciphone.com iframe.

Can you please help.

Re: Using CertBot/LetsEncrypt with ViciBox v.8

PostPosted: Sat Oct 14, 2017 10:25 am
by williamconley
Kumba wrote:The OS is EOL for ViciBox v.7. If you can get certbot to install and run then sure. It needs quite a few python modules which might not be installable anymore.

We've used it on v7 several times. There's more than one way to install it.

Re: Using CertBot/LetsEncrypt with ViciBox v.8

PostPosted: Tue Dec 05, 2017 12:20 pm
by sajeel
getting the below error in Chrome dev console.

WebSocket connection to 'wss://domain.com:8089/ws' failed: Error in connection establishment: net::ERR_CONNECTION_REFUSED

All the certificates are properly installed.

Asterisk is not listening to port 8089
Code: Select all
netstat -ln | grep 8089 is not returning any output

Re: Using CertBot/LetsEncrypt with ViciBox v.8

PostPosted: Wed Mar 28, 2018 3:15 am
by vkad
ALSO if you are behind NAT then httpd.conf should contain your private IP or 0.0.0.0:8089 in tlsbindport or otherwise it won't listen to anything.