Generate Let's Encrypts certs for IPBrick
From wiki.IPBRICK.COM
To generate a certificate you must do the following:
1 Install certbot-auto v0.31.0 (ONLY THIS VERSION IS SUPPORTED IN IPBRICK OS)
mkdir /home1/_letsencrypt cd /home1/_letsencrypt wget https://ipbcloud.ipbrick.com/index.php/s/SxHtunjaWXEfOBf/download -O certbot-auto chmod a+x certbot-auto
More info on https://certbot.eff.org/#debianwheezy-other
2 Change the virtualhosts that will require certificates and write protect them:
eg. 200-200-light.domain.com Insert lines: SSLCertificateFile /etc/letsencrypt/live/ucoip.domain.com/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/ucoip.domain.com/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/ucoip.domain.com/chain.pem
Write protect the files: eg. chattr +i 200-200-light.domain.com
3 If you want to use CAFE Phone or UCoIP Page WebPhone you need:
Change file /etc/webrtc2sip/config.xml Modify ssl-certificates section: <ssl-certificates> /etc/letsencrypt/live/ucoip.domain.com/privkey.pem; /etc/letsencrypt/live/ucoip.domain.com/cert.pem; *; </ssl-certificates>
Restart service webrtc2sip: /etc/init.d/webrtc2sip stop /etc/init.d/webrtc2sip start
Write protect the file: eg. chattr +i /etc/webrtc2sip/config.xml
4 If you want to use UCoIP/CAFE Video Conference (WebRTC ) you need:
Copy certs into folder /opt/ucoip/site/rtc/signalmaster/ssl and create an empty ca.crt cp /etc/letsencrypt/live/ucoip.domain/privkey.pem /opt/ucoip/site/rtc/signalmaster/ssl/private.key cp /etc/letsencrypt/live/ucoip.domain.com/cert.pem /opt/ucoip/site/rtc/signalmaster/ssl/certificate.crt touch /opt/ucoip/site/rtc/signalmaster/ssl/ca.crt Change permissons and restart service: chown webrtc.webrtc /opt/ucoip/site/rtc/signalmaster/ssl/* /etc/init.d/webrtc_signal stop /etc/init.d/webrtc_signal start
5 Generate the certs with the command:
/etc/init.d/apache2 stop /home1/_locals/operator/certbot-auto certonly --standalone -d ucoip.domain.com -d webrtcproxy.domain.com -d ..... /etc/init.d/apache2 start The cert will be created on folder: /etc/letsencrypt/live
6 Create a script to renew the cert and call the command on cron.d (Certificates valid for 90 days)
Script (eg. /home1/_locals/operator/renewcerts.sh) #!/bin/sh echo "***********" $(date +"%m-%d-%Y - %H:%M") >> /var/log/le-renew.log /etc/init.d/apache2 stop >> /var/log/le-renew.log /home1/_locals/operator/certbot-auto renew >> /var/log/le-renew.log cp /etc/letsencrypt/live/ucoip.domain.com/privkey.pem /opt/ucoip/site/rtc/signalmaster/ssl/private.key >> /var/log/le-renew.log cp /etc/letsencrypt/live/ucoip.domain.com/cert.pem /opt/ucoip/site/rtc/signalmaster/ssl/certificate.crt >> /var/log/le-renew.log /etc/init.d/apache2 start >> /var/log/le-renew.log /etc/init.d/webrtc_signal stop >> /var/log/le-renew.log /etc/init.d/webrtc_signal start >> /var/log/le-renew.log
7. Place the script in cron.d and add execution permissions to this script
vi /etc/cron.d/letsencrypt 01 04 */15 * * root /home1/_locals/operator/renewcerts.sh ipbrick:~# ls -la /etc/cron.d/letsencrypt -rw-r--r-- 1 root root 58 Feb 23 16:15 /etc/cron.d/letsencrypt
chmod 755 /home1/_locals/operator/renewcerts.sh