SSL, SNOM and Wildcards

[Hawk IT]

That tiltle sounds like the title of a tech book... 

Anyway, Hi all, 

    We're relatively new with Vodia, and I'm looking for an SSL certificate that will:

• Work for my wildcard domain
• Provision properly with the SNOM phones for TLS (This is the hard part)
• Secure the web interface, with or with out the greenbar, just dont want an SSL error on my login page...
• Won't make me take out a second mortgage on my home. 

In a perfect world, I wonder if there is a way to use my SSL cert with another 2 levels, such as "https://customer.server1.mydomain.com" but I can be flexible on the naming convention as we are just starting out... Is there a way I can check with SSL providers which certs use which CA's? Has anyone else had any luck within the past few months, or any long time standing working well certificates? A link with which product worked for you would be awesome. I just don't wanna invest in a cert that SNOM doesnt like, and it would be great to be pushed in the right direction. Thanks for your help! --JM

[Support]

Hi,

 

If you are installing the latest 61.0 version of our PBX then you wont need the wildcard certificates for your customer domains and your own domain as well.

1) Turn letsencrypt on from, reg_settings page under "ACME Directory URL" field. Then you should have valid certificates on the PBX.

2) Delete the "localhost" cert if you have it in your certificate list, refresh, clear the caches and try again.

3) For your own domain name go to the page "/reg_settings.htm" and enter the domain name in "System management DNS address" field and hard refresh the page.

 

We also use two distinct certificates in our Certificates section for Snom phones in Trusted Root CA for server and Client authentication. But if they don't work for you, you can always use your own certs as well.

 

You can check all the details from the SSL certificate description section itself, if that doesn't help, let us know and we can try to see if we can be of any help.

 

 

[Hawk IT]

Hi Support, 

      Completed Steps 1 and 3, Reset all browsers and reset the caches. Still using Vodia Root Cert. Didnt see anything in the Logs that Lets Encrypt! ran or associated itself. Send me an email when you can can and I can let you into the system for some help. My aim is to keep the TLS running for the SNOM phones and secure the Web SSL. Thanks! --JM

[Support]

Hi,

 

You can send an email to support@vodia.com as well.

These steps must have helped you to secure your web GUI of the PBX for you and your clients to be on green https. Snoms working on TLS will not be covered with those steps. For that we do have two certificates in our certificate chains on the PBX which the phone gets when it is provisioned, but maybe it didn't work for you. There you can use your wildcard certs.

[Vodia PBX]

If you want to use letsencrypt your server must be on a public IP where the DNS name points to your server. Port 80 must be used. If run your server on a private IP address, you can still use letsencrypt, but must use a DNS hosting service. The only one we are supporting right now is dnsmadeeasy.com. 

[Hawk IT]

I'm on a public IP, the DNS is already set, and by luck I'm already using DNS Made Easy. All ports are available. I'll call when support opens up today and get some help from support, as they are not being issued for me. I can't get Grandstream GAPS (RPS) working either, and I want to get this all sorted. I'm feeling quite disillusioned with Vodia's auto-provisioning.. 

[Vodia PBX]

There is a log category for ACME (which is the protocol that letsenrypt uses). Try putting it to 9 so that you see everything that is going on. If you put your dnsmadeeasy key in, it will not use HTTP and only try the DNS challenge - again this should be visible in the log. 

The whole thing gets triggered when you set up a new domain or when you set the management address for the PBX. The PBX checks every 24 hours if a domain certificate will expire and then will trigger the issuing of another LE certificate.

Grandstream has changed their RPS API, it seems that this change was not backward compatible. If you want to give that a try, you will probably have to move to 61.1. 

[cwernstedt]

DNSmadeEasy provides a user name, and two keys: API Key and Secret Key .
From these three, what should go into the two fields provided on the pbx (user name and password) ?

[Solved on my own: Should be API Key and Secret Key for user name and password ]