SSL Certificate for Non-Hosted Domain

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: nollicomm.net

I ran this command: Lets Encrypt via FreePBX

It produced this output: selt test error: pest_curl_exec- could not resolve host name secret.nollicomm.net where secret is a hidden name of the sub-domain: unknown error
:
My web server is (include version):FreePBX 16

The operating system my web server runs on is (include version): FreePBX 16

My hosting provider, if applicable, is: not hosting the domain just registered for SSL certificate for non-facing FreePBX voipserver and phones

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no, my domains are registered via Misk.com

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): no

1 Like

Hi @nollicrypt and welcome to the community.

nollicomm.net.		7091	IN	A	52.3.162.226
nollicomm.net.		7091	IN	A	34.203.101.184 ??

secret.nollicomm.net. 7091 IN A 52.3.162.226

So If I may ask ... What are you trying to do? Is your PBX public facing? Please give us some info about what you are trying to accomplish.

4 Likes

Thank you Rip for responding. What I want to do is to make my PBX as secure as possible; however, to accomplish that end, I needed to use a domain name. First, I thought I could use a made up name and let Let's Encrypt issue a certificate. However, that turned out to be misinformation and I needed to register a real domain. I already had several domains but because I didn't want to expose any of those, I created a new one that will just be used internally in my home office.

So, my FreePBX number is the only aspect that will face the public. The domain nolicomm.net is only to facilitate secure communication between my firewall (pfSense), Freepbx, and the actual phone (Htek). The domain will not be hosted by hosting providers other than been registered.

So last night, I could not understand why I could get a certificate since I legitimately own the domain. In fact, I am not sure the request actually got to Let's Encrypt since I made the request from FreePBX that's behind my pfsense in a DMZ. Also, I was not expecting secret dot nollicomm.net to resolve...it was just an example. So for full transparency, my host name will be nollivoipserver.nollicomm.net and phones.nollicomm.net

1 Like

If you don't want to expose port 80 or 443 on the internet (for those FQDNs), you should use dns-01 validation.

Because you registered a domain on purpose, it's easier: use your DNS provider APIs or change DNS provider to one with good support.

I am not sure about this, but you might get away with not creating the label for the FQDNs in your zone, if you use the dns-01 challenge.

4 Likes

But given that you'll be the only user, you can also make your own CA, add your root certificate to the system store, and sign certificates for whatever domain you want (of course, they'll be trusted by you and you alone)

5 Likes

This was the suggestion on the FreePBX; however, their set up for Let's Encrypt doesn't allow that...or I would need to add acme.sh and that is presenting a steep learning curve. I might be able to do just that with the Acme package on pfSense.

I already purchased a domain in order to get the SSL certificate.

1 Like

You can install whatever client on whatever machine. It's easier when acme client and server are in the same machine, but you can always install certbot on your laptop and set a deploy hook that uses scp/rsync to send the certificate and key where they are needed.

Just don't install certbot on your laptop and expect the Apache/Nginx plugin to work. Webroot might, if you mount the remote directory. But dns-01, dns-01 will definitely work.

You can still do that. Look for minica and picoca.

3 Likes

I already spent the whole weekend running in circles. Right now, I just want the phone system working. I decided on a sip trunk provider last Friday and chased my tail with Let's Encrypt with no progress. There is so much misinformation on this Lets Encrypt.

So, I'll use the Acme package on pfSense to get the SSL and learn more on the subject of Acme client and server later.

1 Like

You might be surprised at how well acme.sh integrates with pfsense, and how easy it is to use in practice.
What version of pfsense are you using?
I may have missed it if it is in the thread already but who is managing your DNS? And do they have an API you can access for automation purposes?

5 Likes

Rip that was for adding acme.sh to FreePBX. I already have Acme package running on pfSense and had hope that the same ease was the case on FreePBX. So, my solution is to just use pfSense Acme package and don't worry about trying to deal with FreePBX and having to have port 80 opens to the wide world.

2 Likes

It should work. Are you satisfied with this solution?

3 Likes

@nollicrypt !
So have you created a process to backup and copy the cert(s) to FreePBX?

4 Likes

I haven't done it yet; however, the plan is to use HAproxy to create SSL offloading of the certificate to http on FreePBX thus creating a secure connection without having to have the certificate on FreePBX.
I'll report back when I have everything working.

I could make a copy of the certificate and import into FreePBX, but then, I would need to renew and that becomes awkward...I may try it once though.

2 Likes

Welcome to the Let's Encrypt Community :slightly_smiling_face:

This seems like the perfect situation to me to use something like certbot's "standalone" webserver option, which spins up a limited webserver instance on port 80 only for the short duration of the http-01 challenge verification when acquiring a certificate. Since no other webserver would be using port 80 (which is required anyhow for the standalone authenticator to work), anything attempting to contact your domain name(s) on port 80 at any other time would never receive a response, which is exactly how a stealth firewall would behave. This is an extremely efficient design.

5 Likes

If you can script it, you can use a deploy hook (both certbot and acme.sh have them).

3 Likes

Exactly!

sudo certbot certonly --standalone -d "domain name" --deploy-hook "code or script file"
3 Likes

It's on the install command, not the issue command,

And, for acme.sh

acme.sh --install-cert -d example.com [--ecc] \
   --fullchain-file /tmp/cert.pem \
   --key-file /tmp/key.pem \
   --reloadcmd "scp /tmp/cert.pem /tmp/key.pem user@otherserver:/path/on/other/server && rm /tmp/cert.pem /tmp/key.pem && ssh user@otherserver command to reload your software"

(--deploy-hook does something else in acme.sh)

3 Likes

? You can use a deploy hook without any installer at all (certonly) with certbot. It's very common to use a deploy hook in lieu of an installer. Maybe I misunderstood your comment?

4 Likes

I am not sure, I didn't know that the certonly command supported the --deploy-hook option.

3 Likes

It's very common to do something like the following when you don't want a certbot installer messing with your webserver configuration files:

sudo certbot certonly --apache -d "domain name" --deploy-hook "apachectl -k graceful"

sudo certbot certonly --nginx -d "domain name" --deploy-hook "nginx -s reload"
4 Likes