Jump to content

Setup https certificate using Voida root CA


melanc

Recommended Posts

Hi

I am new to Vodia PABX. I installed vodia on AWS and trying to access public IP using https.

I can access public IP url without https

So how can i install default vodia root CA to use https ?

when i using vodia mobile client, it says "invalid server certificate on PABX"  and then i can log into extension.

Thank you

Link to comment
Share on other sites

Hi

I followed the steps of video and certificate was not created.

I'm using AWS and using  vodia Version 65.0.8 free licence for POC.

Already enabled port 80/443 

I changed localhost domain name into AWS domain as i don't have licence to create multiple domains.

See error messages on the logfile. Also now my windows client also not working due to new changes to localhost.

Please advice.

 

[5] 12:25:51.342 HTTP 172.65.32.248: [ff73b3b9] Certificate for acme-v02.api.letsencrypt.org could not be verifiedⓘ
[3] 12:25:51.520 Could not retrieve directory from directory https://acme-v02.api.letsencrypt.org/directoryⓘ
[2] 12:25:51.520 Exception for getDirectoryⓘ
[5] 12:25:52.339 HTTP 172.65.32.248: [80bdac3f] Certificate for acme-v02.api.letsencrypt.org could not be verifiedⓘ
[3] 12:25:52.517 Could not retrieve directory from directory https://acme-v02.api.letsencrypt.org/directory
Link to comment
Share on other sites

You can assign multiple names to a single domain, e.g. "bla.pbx.com" as primary name and "bla2.pbx.com bla3.pbx.com" as alias names.

The problem seems to be that the PBX does not trust the letsencrypt server. Did you delete the certificate in the list of default certificates? I think it was "DST Root CA X3".

Link to comment
Share on other sites

9 minutes ago, Vodia PBX said:

You can assign multiple names to a single domain, e.g. "bla.pbx.com" as primary name and "bla2.pbx.com bla3.pbx.com" as alias names.

The problem seems to be that the PBX does not trust the letsencrypt server. Did you delete the certificate in the list of default certificates? I think it was "DST Root CA X3".

Yes. I deleted all certificate  except  vodia root CA.

Is there anyway, i can import all default certificates or upload only DST Root CA X3?

Link to comment
Share on other sites

13 hours ago, Vodia PBX said:

There is a "reset" button on the page that will bring back all the default Root CA. Just press it and then the PBX should be able to fetch the  lets encrypt certificate for you.

Thanks I reset it and i got all certificates back.

But i am still struggling to get certificate to use https

I changed domain name to voice.volladotelcom.xyz to see any luck and still same issue.

I have attached screen captures of my system and please point out me from where i starts troubleshooting.

Logfiles does not give more details to understand exact issue.

 

 

 

1.jpg

2.jpg

Link to comment
Share on other sites

Well... Do you own that domain? If not, it would be quite a surprise if the robot would issue you the certificate! You prove that you own the DNS address by pointing it to the IP address of the PBX and make port 80 available in that address. I mean, if you try pbx.google.com it will most likely also not work unless you work there and have good relationships with the management. 

Link to comment
Share on other sites

18 hours ago, Vodia PBX said:

Well... Do you own that domain? If not, it would be quite a surprise if the robot would issue you the certificate! You prove that you own the DNS address by pointing it to the IP address of the PBX and make port 80 available in that address. I mean, if you try pbx.google.com it will most likely also not work unless you work there and have good relationships with the management. 

Hi

I'm sorry, i was trying to undestand how this certificate issue work snd troubleshoot.

I used dns name of my aws server and it did not work even  dns quarry resolved.

 

I don't have own dns and vodia is sitting  in the aws public ip.

 

 

 

 

 

Link to comment
Share on other sites

Yea certificates are actually a very complex and confusing topic. The EC2 DNS name should work, but of course you need to make sure that the Amazon firewall passes requests to port 80 through to the PBX (also you should open port 443 for the actual HTTPS access). 

Link to comment
Share on other sites

Do you have a FQDN address mapped to your Public IP for the PBX on AWS?

If yes, then all you need to do is open your ports 80 and 443 and turn on the "ACME Directory URL" setting on /reg_settings.htm page on the PBX and then just wait for sometime for it to get the certificate.

Try to log off and log back in with https into the PBX and see if you've gotten a certificate.

Link to comment
Share on other sites

27 minutes ago, Vodia PBX said:

Yea certificates are actually a very complex and confusing topic. The EC2 DNS name should work, but of course you need to make sure that the Amazon firewall passes requests to port 80 through to the PBX (also you should open port 443 for the actual HTTPS access). 

Yes. I did. I followed the youtube for install vodia on AWS. so all ports openned when i i created EC2. Also checked ports again manually.

Link to comment
Share on other sites

1 hour ago, Support said:

Do you have a FQDN address mapped to your Public IP for the PBX on AWS?

If yes, then all you need to do is open your ports 80 and 443 and turn on the "ACME Directory URL" setting on /reg_settings.htm page on the PBX and then just wait for sometime for it to get the certificate.

Try to log off and log back in with https into the PBX and see if you've gotten a certificate.

Hi 

I am sorry to asking stupid question .

Voida PABX is on AWS. So EC2 has its own DNS Address mapped to it's public IP.

So i used EC2 DNS address to set on domain name.  is that correct.?? Please see screen shots.

 

Link to comment
Share on other sites

51 minutes ago, Vodia PBX said:

There is a log level "Log ACME certificate processing" to 9 in the system log—I would turn it on and see what the PBX has to say. One of the key questions is if the robot is trying to validate the certificate. That would mean that port 80 is available. 

[0] 20200612223825: Automatic reboot
[1] 20200612223916: syslog messages will be sent to 172.31.40.234
[1] 20200612223916: Starting up version 65.0.8
[1] 20200612223916: Adding DNS server 127.0.0.53 to the dns server list
[1] 20200612223916: Working Directory is /usr/local/pbx
[5] 20200612223917: Starting threads
[4] 20200612223917: Join multicast group on address 0.0.0.0
[5] 20200612223917: Set scheduling priority to 1
[5] 20200612223917: Set process affinity to 1
[2] 20200612223917: Trunk status XXXX SIP (1) changed to "200 OK" (1800 s)
[5] 20200612223917: Ignore traffic from user-agents "CSipSimple" "Gulp" "PortSIP" "SIVuS" "VaxIPUserAgent" "VaxSIPUserAgent" "friendly-request" "friendly-scanner" "iWar" "pplsip" "sip-scan" "siparmyknife" "sipcli" "sipsak" "sipv" "sipvicious" "smap" "sundayddr"
[6] 20200612224018: Refreshing ec2-XXXXXXXX-XXX.ap-southeast-2.compute.amazonaws.com
[8] 20200612224018: Create new account
[7] 20200612224018: Retrieved directory "{\n  \"SZq4NtVzhH4\": \"https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417\",\n  \"keyChange\": \"https://acme-v02.api.letsencrypt.org/acme/key-change\",\n  \"meta\": {\n    \"caaIdentities\": [\n      \"letsencrypt.org\"\n    ],\n    \"termsOfService\": \"https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf\",\n    \"website\": \"https://letsencrypt.org\"\n  },\n  \"newAccount\": \"https://acme-v02.api.letsencrypt.org/acme/new-acct\",\n  \"newNonce\": \"https://acme-v02.api.letsencrypt.org/acme/new-nonce\",\n  \"newOrder\": \"https://acme-v02.api.letsencrypt.org/acme/new-order\",\n  \"revokeCert\": \"https://acme-v02.api.letsencrypt.org/acme/revoke-cert\"\n}"
[8] 20200612224018: New order ec2-XXXXXXXX-XXX.ap-southeast-2.compute.amazonaws.com
[8] 20200612224019: Received key for new order (1708 bytes)
[8] 20200612224019: Send new order for ec2-XXXXXXXX-XXX.ap-southeast-2.compute.amazonaws.com
[7] 20200612224020: Received nonce 0101V0aFyvUoqy_iQngBKVNQsFBlNpa0JV2hEU7i1HL3pKQ
[8] 20200612224020: Parse key
[8] 20200612224020: Account has location https://acme-v02.api.letsencrypt.org/acme/acct/88555057
[7] 20200612224020: Send to https://acme-v02.api.letsencrypt.org/acme/new-order
{"identifiers":[{"type":"dns","value":"ec2-XXXXXXXX-XXX.ap-southeast-2.compute.amazonaws.com"}]}
[7] 20200612224021: Received nonce 0101asNpo2MRCnkGQfDqIcnXTFQdDFxoptxaBS09TOZwI60
[2] 20200612224021: Exception for sendPayload
{"payload":"eyJpZGVudGlmaWVycyI6W3sidHlwZSI6ImRucyIsInZhbHVlIjoiZWMyLTMtMTA0LTMwLTIxNy5hcC1zb3V0aGVhc3QtMi5jb21wdXRlLmFtYXpvbmF3cy5jb20ifV19","protected":"eyJhbGciOiJSUzI1NiIsImtpZCI6Imh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvODg1NTUwNTciLCJub25jZSI6IjAxMDFWMGFGeXZVb3F5X2lRbmdCS1ZOUXNGQmxOcGEwSlYyaEVVN2kxSEwzcEtRIiwidXJsIjoiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvbmV3LW9yZGVyIn0","signature":"lYoNWgIHpyLIeuPz7_xRC7_kpHGcZclsJMV3f1OJUJFaFS3aEVsZIVWFmz-sZJoUWeyK8wG7LP0Q-ryTov_nvmNN2XkfPFpbimoD7T4qC-UrtTKZRDgQJQzdVDiAhJ4-jLXK42p4qtGzEtG487v4vZN3wCiJ0mz1FQASOQvqlI_bXvr2REjlFK1_2f6N0jpZLSC2METKMzZl-_OGLoiVQNQm0fhGOeMTuhaj7tz6-wp2g26tigoLNwnU1K6XrMP5ijI3hi4MCp6Nixzt_iwB0CWxjoGaAFLgKZ6UiLkzOMQyAh2p-OK4iPX71wzOK_cdpxfnnxHQf8fjJZhIYvH-gg"}

 

This is log level 9 output. Sorry i can not read this. please let me know where is the issue?

 

Link to comment
Share on other sites

Hi, Melanc 

You will need to purchase a .com or an xyz name, it doesnt realy matter, you just need a FQDN, with godadady you can pay .99 cents for a domain the 1st year and 14.99 anually, however that means you can point 100's of A records to your Vodia PBX phone system and then have let's encrypt create the certs for them. I would recommend checking this link out to give you a general idea how A records work with godaddy. https://www.godaddy.com/help/change-an-a-record-19239

 

Link to comment
Share on other sites

On 6/13/2020 at 11:26 AM, Vodia support said:

You will need to purchase a .com or an xyz name, it doesnt realy matter, you just need a FQDN, with godadady you can pay .99 cents for a domain the 1st year and 14.99 anually

Subdomains are usually for free if you already have a domain for your company. 

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...