Applies to VoipNow 5.5.0 and higher installed on CentOS Linux 8!
Let's Encrypt is a free, open initiative to provide SSL certificates for websites with the purpose of enabling the adoption of encrypted communications. It's completely free (for now, at least) and you can use it with VoipNow following the steps described below.
Please note, however, that this is a domain-validated certificate. The only criteria to get a valid SSL certificate is the proof of some form of control over that domain. It could be a custom DNS TXT record, a response to an administrative email for that domain and so on.
This type of certificate does not ensure that a particular legal entity is connected to that domain (i.e. somebody can register the m1crosoft.com domain, request a SSL certificate and everything will be technically correct, while in real life an Extended Validation certificate wouldn't be granted). Basically, this article helps you get rid of the "insecure page" warning displayed by browsers.
Step-by-step guide
Before you start, make sure you know your VoipNow server's DNS hostname and IP address. Also, check that your DNS is correctly configured and pointing to your VoipNow server's IP address.
This guide will use sip.voipnowserver.com and 172.173.174.175 as place holders for your VoipNow host name and IP address. Make sure to replace them with the correct values.
Download the required files
This KB article will assume the EPEL repo is not installed and enabled on the current machine. For installing Certbot, you need the EPEL repo and for that run the following command. In case EPEL is already installed, you can skip to the second step and install Certbot.
# yum -y install epel-release
yum -y install certbot
For the sake of simplicity, we will export an environment variable that will hold the actual name of the domain for which a SSL certificate will be generated. This can be easily, done by running the following command:
certbot --standalone certonly --pre-hook='systemctl stop crond && service httpsa stop && cp -p /etc/voipnow/certs/http.pem /etc/voipnow/certs/http.pem.bkp' --post-hook="cat /etc/letsencrypt/live/${DOMAIN}/privkey.pem /etc/letsencrypt/live/${DOMAIN}/fullchain.pem > /etc/voipnow/certs/http.pem && service httpsa start && systemctl start crond" -d ${DOMAIN}
IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/sip.voipnowserver.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/sip.voipnowserver.com/privkey.pem Your certificate will expire on 2021-06-14. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
The above command has two important sections defined by the pre-hook and post-hook parameters. In order to generate a certificate you must stop the web interface of the server making sure that it doesn't get started by the monitoring script. This is achieved in the pre-hook section:
systemctl stop crond service httpsa stop cp -p /etc/voipnow/certs/http.pem /etc/voipnow/certs/http.pem.bkp
There are 3 actions that are executed before the actual certificate generation starts. These are:
- Stop the crond daemon for being sure that the srvmonitor script will not start the web interface service during the certificate generation.
- Stop the web interface, httpsa process.
- Make a backup copy of the existing SSL certificate.
At the end of the process we have a valid SSL certificate that must be installed before starting the web interface. These steps are done in the post-hook section, as follows:
cat /etc/letsencrypt/live/${DOMAIN}/privkey.pem /etc/letsencrypt/live/${DOMAIN}/fullchain.pem > /etc/voipnow/certs/http.pem
service httpsa start
systemctl start crond
The same as the pre-hook section, we have 3 actions that are automatically executed at the end of the process. These are as follow, in this order:
- Assemble the SSL certificate by copying the generated files, private key and SSL certificate, in the file used by the VoipNow web interface for loading the SSL certificate.
- Start the web interface, the httpsa process like in the previous section.
- Start the crond daemon.
Let's check the SSL certificates
This can be easily done by running the following command:
certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
Certificate Name: sip.voipnowserver.com
Serial Number: 34c43ee6cf18b9dd868fd5316f2d92176ca
Key Type: RSA
Domains: sip.voipnowserver.com
Expiry Date: 2021-06-14 08:52:43+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/sip.voipnowserver.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/sip.voipnowserver.com/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Let's renew the expired SSL certificate
The free SSL certificates are valid for 90 days. In order to renew the existing certificates, just run the following command:
Related articles
Except where otherwise noted, content in this space is licensed under a Creative Commons Attribution 4.0 International.