• V20: 3CX Re-engineered. Get V20 for increased security, better call management, a new admin console and Windows softphone. Learn More.

Lets Encrypt Auto Renewal

Status
Not open for further replies.

[email protected]

Premier Customer
Joined
Jun 17, 2015
Messages
80
Reaction score
18
I've recently moved our 3cx management portal to a Lets Encrypt Cert. I've read that 3cx does auto renewal but my searches on the 3cx forum and google aren't giving me much information on how to set it up, monitor, and manage the auto renewal.

Can anyone tell me is there instructions for the 3cx portal auto renewal of Let's Encrypt certs? Some of the things I would be interested in is seeing the control panel for managing it and a way to schedule a time frame for it to update. Ideally it would be nice to set it up so that it runs during our weekend maintenance window.
 
If during the installation you selected an 3CX domain, the lets encrypt is handled by 3CX - you do not have to do anything.

Any issues renewing the ssl certificate is emailed to the address configured for 'Email address for notifications'

You can not schedule when the renewal is done,
 
Please note that 3CX only auto-renews Lets Encrypt certificates if you have selected a 3CX FQDN. If you are using a custom FQDN with Letls Encrypt certificates you need to renew them your self by following this guide: https://www.3cx.com/docs/self-hosted-instances-ssh/
 
> 3CX only auto-renews Lets Encrypt certificates if you have selected a 3CX FQDN.

This is what I was worried about. We have our own FQDN and host everything onsite. I used the web interface to generate the cert and I had to use http verification, which involves setting up a file on the web server for verification. There's got to be a better way to manage this than manually regenerating them every 90 days. Is there a way to generate Lets Encrypt certs with a longer time frame?
 
Thank you for the response. I'll see what our options are. It really depends on how much effort it takes to redo the cert every 90 days but we may just have to go with another provider.
 
LE has a lot of different client options: https://letsencrypt.org/docs/client-options/ All of them schedule a job to self-renew every 90 days on both Windows or Linux.

I had some issues getting the client to play nice with 3CX so ended up using a 3rd party cert, but I've gotten it to work on numerous other environments.
 
i'm sure you already know but renewing a cert is just a matter of re-keying it and downloading and installing the new cert.

it takes 5 minutes unless the cert provider takes longer for some reason. once you have the new cert, put the appropriate files on 3cx server and restart the nginx service.

the purpose of let encrypt was to automate this process and also make certs free. it does take some automation to make it happen on it's own which 3cx has built in functionality for, but only for 3cx lets encrypt certs and not ones obtained through other avenues.
 
> but only for 3cx lets encrypt certs and not ones obtained through other avenues.

I think this is where I'm getting confused. I used the https://zerossl.com/ web interface. As part of the cert I needed to drop a file on my web server so that I could verify I owned it. If there is a simpler way to do it I missed it while figuring this out.
 
I use my self hosted 3cx instance running in Windows with letsencrypt. I use the script from here:
https://github.com/PKISharp/win-acme/wiki
This script can autorenew a letsencrypt certificate on Windows, and it can put the certificates as pfx files in a "Central_ssl" directory. I use that for my exchange and other services. One certificate containing all alternative subject names. Letsencrypt needs port 80 for verification. I don't need port 80 for anything, so, I mapped port 80 for all external ip adresses via NAT to the server running the script.
Then I have setup a batch which runs daily, to convert the pfx files to pem format using openssl for windows. and copy this to a separate directory.
c:\OpenSSL-Win64\bin\openssl.exe pkcs12 -in c:\central_ssl\cert.domainname.pfx -out c:\pbx\pbx.cert.pem -nodes -nocerts -password pass:
c:\OpenSSL-Win64\bin\openssl.exe pkcs12 -in c:\central_ssl\cert.domainname.pfx -out c:\pbx\pbx.cert-key.pem -nodes -nokeys -password pass:
The 3cx pbx Server mounts this directory with a symlink on the 3cx server called \pbx. This way it appears as a local directory to the 3cx Software.
Now you have to change the configuration of nginx to load the certificate from the directory where the certificate is installed. You find the configuration file in:
C:\Program Files\3CX Phone System\Bin\nginx\conf\nginx.conf
two lines:
ssl_certificate /pbx/pbx.cert.pem;
ssl_certificate_key /pbx/pbx.cert-key.pem;

Not very straight forward, but works since several months. I you want to run the script on the server running the 3cx pbx you can of course omit a few steps.
 
@nobody

Nice tip. I would just say that I would try to put the certificate where 3CX expects it by default vs changing the nginx config. Makes the changes more likely to survive upgrades.
 
@nobody

Thank you for the information. I'm going to look at automating it using what you posted.
 
@nobody

Your information worked great. Once I got the Acme client to generate a cert the first time it automatically built the scheduled task to renew. It was much easier than expected, just a little overwhelming figuring out Lets Encrypt the first time. Thank you for the help.
 
great that this works!

Regarding the posting from cobaltit:
Yes, but maybe. I first tried to copy the certificate to the place and name where the 3cx default installation puts it. But then, one day the server was down because of problem reading the certificate. I had to restart the ngnix instance. So I changed the path to my personal folder. No Problems since then.
Maybe this was a random problem, maybe not. The 3cx support should know the best practice how to use your own certificate and where to place it.
 
Status
Not open for further replies.
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.