Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Note

Applies to VoipNow 35.5.7 0 and higher installed on CentOS Linux 8!

Let's Encrypt is a free, open initiative to provide SSL certificates for websites with the purpose of enabling the adoption of encrypted communications. It's completely free (for now, at least) and you can use it with VoipNow following the steps described below.

...

Before you start, make sure you know your VoipNow server's DNS hostname and IP address. Also, ensure check that your DNS is correctly configured and pointing to your VoipNow server's server IP address.

This guide will use sip.voipnowserver.com and 172.173.174.175 as place holders for your VoipNow host name and IP address. Make sure to replace them with the correct values.

Download the required files

If you are still using CentOS 6This KB article will assume the EPEL repo is not installed and enabled on the current machine. For installing Certbot, you need to install the EPEL  repo for Let's Encrypt to work. For that you need to repo and for that run the following command. In case EPEL is already installed, you can skip to the second step and install Certbot.

Shell
# yum -y install epel-release

Install the Certbot rpm file.

Shell

yum -y install certbot


Download the Let's Encrypt files using Git:

Code Block
# git clone https://github.com/letsencrypt/letsencrypt
Cloning into 'letsencrypt'...
remote: Counting objects: 33428, done.
remote: Compressing objects: 100% (5/5), done.
remote: Total 33428 (delta 0), reused 0 (delta 0), pack-reused 33423
Receiving objects: 100% (33428/33428), 8.80 MiB | 2.68 MiB/s, done.
Resolving deltas: 100% (23745/23745), done.
Checking connectivity... done.

Stop the web interface

Note

In order to run the certificate generation scripts, you need to stop the web interface.

 Run the following command:

Shell
# service voipnow stop

Disable the srvmonitor cron task by running the command below 

Shell
# crontab -e

and place a # character in front of the line containing srvmonitor.

start

For the sake of simplicity, we will export an environment variable that will hold the actual name of the domain for which a SSL certificate will be generated. This can be easily, done by running the following command: 

Shell

DOMAIN='sip.voipnowserver.com'

Now we are ready to run Certbot and create the SSL certificate for the domain contained in the ${DOMAIN} variable defined above. Here is the command:

Shell
certbot --standalone certonly --pre-hook='systemctl stop crond && service httpsa stop && cp -p /etc/voipnow/certs/http.pem /etc/voipnow/certs/http.pem.bkp' --post-hook="cat /etc/letsencrypt/live/${DOMAIN}/privkey.pem /etc/letsencrypt/live/${DOMAIN}/fullchain.pem > /etc/voipnow/certs/http.pem && service httpsa start && systemctl start crond" -d ${DOMAIN}

You might

Run the Let's Encrypt script

Shell
# cd letsencrypt

# ./letsencrypt-auto certonly -a standalone -d sip.voipnowserver.com
hecking for new version...
Creating virtual environment...
Installing Python packages...
Installation succeeded.
Requesting root privileges to run letsencrypt...
   /root/.local/share/letsencrypt/bin/letsencrypt certonly -a standalone -d sip.voipnowserver.com
  DeprecationWarning
Version: 1.1-20080819
Version: 1.1-20080819

At this point, you will be prompted to provide a valid email address and accept the legal terms. Proceed as required , and the script should continue. At the end, you will see something like this:

Code Block
IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/sip.voipnowserver.com/fullchain.pem.
   Your cert key file has been saved at:
   /etc/letsencrypt/live/sip.voipnowserver.com/privkey.pem
   Your certificate will expire on 20162021-06-2614. To obtain a new or
   tweaked version of the
this   certificate in the future, simply run
 Let's  Encryptcertbot again. To non-interactively renew *all* of your
   certificates, run "certbot renew"
 - If you like Let's EncryptCertbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Back up the old SSL certificate

The above command has two important sections defined by the pre-hook and post-hook parameters. In order to generate a certificate you must stop the web interface of the server making sure that it doesn't get started by the monitoring script. This is achieved in the pre-hook section:

Code Block
systemctl stop crond
service httpsa stop 
Shell
# cp -p /etc/voipnow/certs/http.pem /etc/voipnow/certs/http.pem.bkp

Copy the new certificate and key

There are 3 actions that are executed before the actual certificate generation starts. These are:

  • Stop the crond daemon for being sure that the srvmonitor script will not start the web interface service during the certificate generation.
  • Stop the web interface, httpsa process.
  • Make a backup copy of the existing SSL certificate.

At the end of the process we have a valid SSL certificate that must be installed before starting the web interface. These steps are done in the post-hook section, as follows:

Code Block
cat
Shell
# cd /etc/letsencrypt/live/sip.voipnowserver.com/# cat ${DOMAIN}/privkey.pem /etc/letsencrypt/live/${DOMAIN}/fullchain.pem > /etc/voipnow/certs/http.pem

Start the web interface

Shell
# service voipnow start

Check if you can access the web interface and ensure that the SSL connection information is correct.

Tip

Look for a green padlock next to the web address in your browser.

If everything's OK, run the command below again

Shell
# crontab -e

and remove the # sign placed in front of the srvmonitor command.

 
service httpsa start 
systemctl start crond

 The same as the pre-hook section, we have 3 actions that are automatically executed at the end of the process. These are as follow, in this order:

  • Assemble the SSL certificate by copying the generated files, private key and SSL certificate, in the file used by the VoipNow web interface for loading the SSL certificate. 
  • Start the web interface, the httpsa process like in the previous section.
  • Start the crond daemon.

Let's check the SSL certificates

This can be easily done by running the following command:

Shell
certbot certificates

The output of the above command contains all the information about the existing certificate, including the expiry date. This way, we know when we have to renew the SSL certificate:

Code Block
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: sip.voipnowserver.com
    Serial Number: 34c43ee6cf18b9dd868fd5316f2d92176ca
    Key Type: RSA
    Domains: sip.voipnowserver.com
    Expiry Date: 2021-06-14 08:52:43+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/sip.voipnowserver.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/sip.voipnowserver.com/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Let's renew the expired SSL certificate

...

The free SSL certificates are valid for 90 days. The automatic renewal script provided by Let's Encrypt isn't fully compatible with the certonly method.

...

In order to renew the existing certificates, just run the following command:

Shell

certbot renew

In case the process succeeds, you will end up having a valid certificate, the pre-hook and post-hook actions will be also executed automatically by the renewal process.

Related articles

Content by Label
showLabelsfalse
max5
showSpacefalse
cqllabel in ("letsencrypt","ssl","certificate","epel") and space = currentSpace()

...

Except where otherwise noted, content in this space is licensed under a Creative Commons Attribution 4.0 International.