Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
It produced this output: selt test error: pest_curl_exec- could not resolve host name secret.nollicomm.net where secret is a hidden name of the sub-domain: unknown error
:
My web server is (include version):FreePBX 16
The operating system my web server runs on is (include version): FreePBX 16
My hosting provider, if applicable, is: not hosting the domain just registered for SSL certificate for non-facing FreePBX voipserver and phones
I can login to a root shell on my machine (yes or no, or I don't know): Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no, my domains are registered via Misk.com
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): no
Thank you Rip for responding. What I want to do is to make my PBX as secure as possible; however, to accomplish that end, I needed to use a domain name. First, I thought I could use a made up name and let Let's Encrypt issue a certificate. However, that turned out to be misinformation and I needed to register a real domain. I already had several domains but because I didn't want to expose any of those, I created a new one that will just be used internally in my home office.
So, my FreePBX number is the only aspect that will face the public. The domain nolicomm.net is only to facilitate secure communication between my firewall (pfSense), Freepbx, and the actual phone (Htek). The domain will not be hosted by hosting providers other than been registered.
So last night, I could not understand why I could get a certificate since I legitimately own the domain. In fact, I am not sure the request actually got to Let's Encrypt since I made the request from FreePBX that's behind my pfsense in a DMZ. Also, I was not expecting secret dot nollicomm.net to resolve...it was just an example. So for full transparency, my host name will be nollivoipserver.nollicomm.net and phones.nollicomm.net
But given that you'll be the only user, you can also make your own CA, add your root certificate to the system store, and sign certificates for whatever domain you want (of course, they'll be trusted by you and you alone)
This was the suggestion on the FreePBX; however, their set up for Let's Encrypt doesn't allow that...or I would need to add acme.sh and that is presenting a steep learning curve. I might be able to do just that with the Acme package on pfSense.
I already purchased a domain in order to get the SSL certificate.
You can install whatever client on whatever machine. It's easier when acme client and server are in the same machine, but you can always install certbot on your laptop and set a deploy hook that uses scp/rsync to send the certificate and key where they are needed.
Just don't install certbot on your laptop and expect the Apache/Nginx plugin to work. Webroot might, if you mount the remote directory. But dns-01, dns-01 will definitely work.
You can still do that. Look for minica and picoca.
I already spent the whole weekend running in circles. Right now, I just want the phone system working. I decided on a sip trunk provider last Friday and chased my tail with Let's Encrypt with no progress. There is so much misinformation on this Lets Encrypt.
So, I'll use the Acme package on pfSense to get the SSL and learn more on the subject of Acme client and server later.
You might be surprised at how well acme.sh integrates with pfsense, and how easy it is to use in practice.
What version of pfsense are you using?
I may have missed it if it is in the thread already but who is managing your DNS? And do they have an API you can access for automation purposes?
Rip that was for adding acme.sh to FreePBX. I already have Acme package running on pfSense and had hope that the same ease was the case on FreePBX. So, my solution is to just use pfSense Acme package and don't worry about trying to deal with FreePBX and having to have port 80 opens to the wide world.
I haven't done it yet; however, the plan is to use HAproxy to create SSL offloading of the certificate to http on FreePBX thus creating a secure connection without having to have the certificate on FreePBX.
I'll report back when I have everything working.
I could make a copy of the certificate and import into FreePBX, but then, I would need to renew and that becomes awkward...I may try it once though.
This seems like the perfect situation to me to use something like certbot's "standalone" webserver option, which spins up a limited webserver instance on port 80 only for the short duration of the http-01 challenge verification when acquiring a certificate. Since no other webserver would be using port 80 (which is required anyhow for the standalone authenticator to work), anything attempting to contact your domain name(s) on port 80 at any other time would never receive a response, which is exactly how a stealth firewall would behave. This is an extremely efficient design.
? You can use a deploy hook without any installer at all (certonly) with certbot. It's very common to use a deploy hook in lieu of an installer. Maybe I misunderstood your comment?
