Using Let's Encrypt with Asterisk?


#1

I’m assuming it’s possible to do this, or at least it should be.

I guess I’d like to know if the certs are compatible at all before I invest time trying to figure it out!


#2

tl;dr no


#3

@Leliana: I believe OP is referring to Asterisk the VoIP software, and not the asterisk symbol (i.e. wildcard certificates). At least I hope so, otherwise the rest of my reply will be completely off-topic. :smile:

I skimmed through the Asterisk wiki page on this topic, and as far as I can tell, there’s no reason why it wouldn’t work. tlscertfile expects a file with both the certificate and your private key, which you would have to generate yourself if you’re using the official client (simply by concatenating cert.pem and privkey.pem), though that will probably be solved in future updates.

All currently available authorization mechanisms will require you to run some kind of web server to serve challenge files on the domain you want to generate certificates for. The client has a standalone mode which will spawn a web server and serve the challenge files for you, but you have to make sure it’s available from outside your network. In the future, DNS-based challenges will be available as well.


#4

@xero09: To the best of my knowledge, @pfg’s answer is correct. Most services the use TLS should be compatible with the certificates issued by Let’s Encrypt. The interesting thing is to make sure that the clients that connect to your Asterisk server trust the certificate chain served by Let’s Encrypt. Roughly speaking, you should check that clients have Identrust’s “DST Root X3” in their trusted certificate store. You should also make sure to serve the correct intermediate certificate.


#5

Thanks for the replies guys. I’ve had trouble getting Asterisk to work with TLS in the past, so it’s nice to know if the issue is with my config or the certificates themselves. At least I know they should work!

The DNS name shouldn’t be an issue as I can always throw up a temporary web server at the given address to have it issued in say voip.mydomain.com.