FQDN and SSL Cert

Discussion in '3CX Phone System - General' started by sanpliance, Jul 15, 2016.

Thread Status:
Not open for further replies.
  1. sanpliance

    Joined:
    Jun 23, 2015
    Messages:
    10
    Likes Received:
    0
    Yeah, this whole ssl thing during installation is a bit too draconian for my taste. I'm a network admin, and I know how to get certs, install them, etc...but this is always client based. you have to generate a request file, get it signed by the registrar, and then you have it to install..., but wrapping that up into the 3cx installation process has my at a stand still. 3cx now uses nginix on windows, so I can't just hop over to get a free cert, their windows clients are based on IIS. what should happen, is a self-signed should be generated during installation, allowing for replacement later by the admin.
    2 options during install, using the new command line based 3cx pbx configuration tool, 3cx generated, or my own fqdn, with a cert, but you have to have the cert ahead of time, this leaves customers pbx's down while we get this straightened out.
    if we use a 3cx fqdn, (probably the quickest installation route), then customers are tied to mixing their pbx url with a 3cx domain.
    I exited out of the configuration tool, only to find it wasn't installed as a program in the windows list, so without knowing the right executable to get back to where I was, I had to un-install, and re-install to get back to the wizard.

    This whole process needs re-thought, you are going to get a lot of complaints during customer upgrades.
    Just my opinion.
     
  2. sanpliance

    Joined:
    Jun 23, 2015
    Messages:
    10
    Likes Received:
    0
    Do you have a blog post on how we are supposed to generate a certificate request, and get it signed for nginix, since it's incorporated into 3cx now? will we have to pre-install nginix, generate cert request, get a cert file, then install 3cx, and will nginix conflict with the one to be installed by 3cx? major questions about all this. v14 installer worked fine, letting us as the pbx admin choose.
    I'm even fine with the command line, as long as it can generate the request, and exit, and we have a shortcut to run, to pick up where we left off, idk, anything but this.
     
  3. sanpliance

    Joined:
    Jun 23, 2015
    Messages:
    10
    Likes Received:
    0
  4. cobaltit

    cobaltit Active Member

    Joined:
    Mar 22, 2012
    Messages:
    947
    Likes Received:
    154
    This works, at least for initially generating key/cert to install. For renewals I will tackle that another day.

    https://zerossl.com/
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. StefanW

    StefanW Head of Customer Support and Training
    Staff Member 3CX Support

    Joined:
    Jun 2, 2009
    Messages:
    1,216
    Likes Received:
    88
    I made this tool to generate the CSR out of my own need as it can be tricky to get you hands on a key from which the csr is generated. After pick any public ssl cert issuer of your liking, present the CSR and for some $ you will get a public cert. Check that the root CA of the issuer is included into the IP Phones if you plan to have remote extensions! If you only have internal phones starssl is just fine.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. StefanW

    StefanW Head of Customer Support and Training
    Staff Member 3CX Support

    Joined:
    Jun 2, 2009
    Messages:
    1,216
    Likes Received:
    88

    thats a reason why I have not documented Let´s Encrypt as they only issue the cert for 90 days and then it needs to be renewed. Also it is a different method how to get to the cert via an API interface. So if this is not done via 3CX it is not so easy to maintain. It would be great if we could issue for your own domains those certs but this would require that we would have access to your public DNS and there is already stops...
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. StefanW

    StefanW Head of Customer Support and Training
    Staff Member 3CX Support

    Joined:
    Jun 2, 2009
    Messages:
    1,216
    Likes Received:
    88
    great found that is "https://zerossl.com/free-ssl/#self", new to me.

    But this have some massive downsides on it.
    As the page state "it is good for testing use" and this is why we dont issue self singed certs anymore made by 3CX. But Fair enough.

    However if someone gives you a cert and a key, that means that this company has the ability to get into your traffic as a man in the middle. Not saying they ever will do but it defeats a bit the goal! I can tell you my home address but without giving you my house key the door is shut...
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. StefanW

    StefanW Head of Customer Support and Training
    Staff Member 3CX Support

    Joined:
    Jun 2, 2009
    Messages:
    1,216
    Likes Received:
    88

    I will document shortly how to change the cert of the pbx without the need to reinstall it. With the new way 3CX uses the web server it is very simple.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. StefanW

    StefanW Head of Customer Support and Training
    Staff Member 3CX Support

    Joined:
    Jun 2, 2009
    Messages:
    1,216
    Likes Received:
    88
    but this can not be different then as it is. If I give you key and cert (outline in a post a bit above from me) it would be useless effort... And yes some clients are not the happiest to see a 3CX domain instead of thier own, but lets recap where do they see it? In the 3CXPhone? No, In the IP Phone Provisioning? No, In RPS? No, only thing where you see it is while opening from outside the MNG Console or downloading a report. The reset is transparent. And webmeeting is anyway done via a 3CX domain as it is hosted on our servers. So if your own domain is pbx.mybusiness.com your webmeeting url will be pbxmybsuiness.3cx.net... Here the full take on it: http://www.3cx.com/docs/fqdn-management-allocation/
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  10. StefanW

    StefanW Head of Customer Support and Training
    Staff Member 3CX Support

    Joined:
    Jun 2, 2009
    Messages:
    1,216
    Likes Received:
    88
    -- I hope I could bring some light to this topic for you, enjoy --
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  11. JohnSim

    Joined:
    Jul 15, 2016
    Messages:
    5
    Likes Received:
    0
    Useful stuff, cheers.

    From what I can see, it all happens in the browser, which creates the whole stuff without connecting back. Sounds pretty cool to me. So it is not really like the situation when someone "gives" you something.

    Basically it would make more sense to suspect that 3cx app is stealthily sending my contacts and SD card content somewhere. Not saying it ever does that, but permissions allow this and MORE! :D By the way, where can I find the explanation for all permissions app requires? I mean not just what the permission means but why app needs that and how and when each permission is used really.
     
  12. sanpliance

    Joined:
    Jun 23, 2015
    Messages:
    10
    Likes Received:
    0
    zerossl was indeed the easiest, but as mentioned, you have to renew in 90 days.
    also, if your IIS wasn't set up for verifying the zerossl, you have to do this:
    I made an IIS site with the domain, then deleted it before installing 3cx v15, so there were no conflicts.

    used startssl in the past, but sure had trouble getting my authentication certificate installed. I will go towards purchased certificates for customers.

    so, are there any that generate the csr/account key like zerossl? definitely helpful, since 3cx now wants the cert at install.
    also interested in any further tools like the csr gen tool.
     
  13. cobaltit

    cobaltit Active Member

    Joined:
    Mar 22, 2012
    Messages:
    947
    Likes Received:
    154
    You could have chose the DNS verification method and then just downloaded the cert and key to provide them to the installation script.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  14. JohnSim

    Joined:
    Jul 15, 2016
    Messages:
    5
    Likes Received:
    0
    I think there is a separate csr gen on zerossl too (shows more fields and you can choose key length) - https://zerossl.com/free-ssl/#csr
     
  15. SON

    SON

    Joined:
    Feb 1, 2017
    Messages:
    4
    Likes Received:
    0
    Hi StefanW, how can i renew the expired certificate without the need to re installed the 3CX version 15 (windows)?...thanks
     
Thread Status:
Not open for further replies.