melanc Posted June 10, 2020 Report Share Posted June 10, 2020 Hi I am new to Vodia PABX. I installed vodia on AWS and trying to access public IP using https. I can access public IP url without https So how can i install default vodia root CA to use https ? when i using vodia mobile client, it says "invalid server certificate on PABX" and then i can log into extension. Thank you Quote Link to comment Share on other sites More sharing options...
Vodia PBX Posted June 10, 2020 Report Share Posted June 10, 2020 There is a video on the subject Quote Link to comment Share on other sites More sharing options...
melanc Posted June 11, 2020 Author Report Share Posted June 11, 2020 Hi I followed the steps of video and certificate was not created. I'm using AWS and using vodia Version 65.0.8 free licence for POC. Already enabled port 80/443 I changed localhost domain name into AWS domain as i don't have licence to create multiple domains. See error messages on the logfile. Also now my windows client also not working due to new changes to localhost. Please advice. [5] 12:25:51.342 HTTP 172.65.32.248: [ff73b3b9] Certificate for acme-v02.api.letsencrypt.org could not be verifiedⓘ [3] 12:25:51.520 Could not retrieve directory from directory https://acme-v02.api.letsencrypt.org/directoryⓘ [2] 12:25:51.520 Exception for getDirectoryⓘ [5] 12:25:52.339 HTTP 172.65.32.248: [80bdac3f] Certificate for acme-v02.api.letsencrypt.org could not be verifiedⓘ [3] 12:25:52.517 Could not retrieve directory from directory https://acme-v02.api.letsencrypt.org/directory Quote Link to comment Share on other sites More sharing options...
Vodia PBX Posted June 11, 2020 Report Share Posted June 11, 2020 You can assign multiple names to a single domain, e.g. "bla.pbx.com" as primary name and "bla2.pbx.com bla3.pbx.com" as alias names. The problem seems to be that the PBX does not trust the letsencrypt server. Did you delete the certificate in the list of default certificates? I think it was "DST Root CA X3". Quote Link to comment Share on other sites More sharing options...
melanc Posted June 11, 2020 Author Report Share Posted June 11, 2020 9 minutes ago, Vodia PBX said: You can assign multiple names to a single domain, e.g. "bla.pbx.com" as primary name and "bla2.pbx.com bla3.pbx.com" as alias names. The problem seems to be that the PBX does not trust the letsencrypt server. Did you delete the certificate in the list of default certificates? I think it was "DST Root CA X3". Yes. I deleted all certificate except vodia root CA. Is there anyway, i can import all default certificates or upload only DST Root CA X3? Quote Link to comment Share on other sites More sharing options...
Vodia PBX Posted June 11, 2020 Report Share Posted June 11, 2020 There is a "reset" button on the page that will bring back all the default Root CA. Just press it and then the PBX should be able to fetch the lets encrypt certificate for you. Quote Link to comment Share on other sites More sharing options...
melanc Posted June 12, 2020 Author Report Share Posted June 12, 2020 13 hours ago, Vodia PBX said: There is a "reset" button on the page that will bring back all the default Root CA. Just press it and then the PBX should be able to fetch the lets encrypt certificate for you. Thanks I reset it and i got all certificates back. But i am still struggling to get certificate to use https I changed domain name to voice.volladotelcom.xyz to see any luck and still same issue. I have attached screen captures of my system and please point out me from where i starts troubleshooting. Logfiles does not give more details to understand exact issue. Quote Link to comment Share on other sites More sharing options...
Vodia PBX Posted June 12, 2020 Report Share Posted June 12, 2020 Well... Do you own that domain? If not, it would be quite a surprise if the robot would issue you the certificate! You prove that you own the DNS address by pointing it to the IP address of the PBX and make port 80 available in that address. I mean, if you try pbx.google.com it will most likely also not work unless you work there and have good relationships with the management. Quote Link to comment Share on other sites More sharing options...
melanc Posted June 12, 2020 Author Report Share Posted June 12, 2020 18 hours ago, Vodia PBX said: Well... Do you own that domain? If not, it would be quite a surprise if the robot would issue you the certificate! You prove that you own the DNS address by pointing it to the IP address of the PBX and make port 80 available in that address. I mean, if you try pbx.google.com it will most likely also not work unless you work there and have good relationships with the management. Hi I'm sorry, i was trying to undestand how this certificate issue work snd troubleshoot. I used dns name of my aws server and it did not work even dns quarry resolved. I don't have own dns and vodia is sitting in the aws public ip. Quote Link to comment Share on other sites More sharing options...
Vodia PBX Posted June 12, 2020 Report Share Posted June 12, 2020 Yea certificates are actually a very complex and confusing topic. The EC2 DNS name should work, but of course you need to make sure that the Amazon firewall passes requests to port 80 through to the PBX (also you should open port 443 for the actual HTTPS access). Quote Link to comment Share on other sites More sharing options...
Support Posted June 12, 2020 Report Share Posted June 12, 2020 Do you have a FQDN address mapped to your Public IP for the PBX on AWS? If yes, then all you need to do is open your ports 80 and 443 and turn on the "ACME Directory URL" setting on /reg_settings.htm page on the PBX and then just wait for sometime for it to get the certificate. Try to log off and log back in with https into the PBX and see if you've gotten a certificate. Quote Link to comment Share on other sites More sharing options...
melanc Posted June 12, 2020 Author Report Share Posted June 12, 2020 27 minutes ago, Vodia PBX said: Yea certificates are actually a very complex and confusing topic. The EC2 DNS name should work, but of course you need to make sure that the Amazon firewall passes requests to port 80 through to the PBX (also you should open port 443 for the actual HTTPS access). Yes. I did. I followed the youtube for install vodia on AWS. so all ports openned when i i created EC2. Also checked ports again manually. Quote Link to comment Share on other sites More sharing options...
melanc Posted June 12, 2020 Author Report Share Posted June 12, 2020 1 hour ago, Support said: Do you have a FQDN address mapped to your Public IP for the PBX on AWS? If yes, then all you need to do is open your ports 80 and 443 and turn on the "ACME Directory URL" setting on /reg_settings.htm page on the PBX and then just wait for sometime for it to get the certificate. Try to log off and log back in with https into the PBX and see if you've gotten a certificate. Hi I am sorry to asking stupid question . Voida PABX is on AWS. So EC2 has its own DNS Address mapped to it's public IP. So i used EC2 DNS address to set on domain name. is that correct.?? Please see screen shots. Quote Link to comment Share on other sites More sharing options...
melanc Posted June 12, 2020 Author Report Share Posted June 12, 2020 Quote Link to comment Share on other sites More sharing options...
Vodia PBX Posted June 12, 2020 Report Share Posted June 12, 2020 There is a log level "Log ACME certificate processing" to 9 in the system log—I would turn it on and see what the PBX has to say. One of the key questions is if the robot is trying to validate the certificate. That would mean that port 80 is available. Quote Link to comment Share on other sites More sharing options...
melanc Posted June 12, 2020 Author Report Share Posted June 12, 2020 51 minutes ago, Vodia PBX said: There is a log level "Log ACME certificate processing" to 9 in the system log—I would turn it on and see what the PBX has to say. One of the key questions is if the robot is trying to validate the certificate. That would mean that port 80 is available. [0] 20200612223825: Automatic reboot [1] 20200612223916: syslog messages will be sent to 172.31.40.234 [1] 20200612223916: Starting up version 65.0.8 [1] 20200612223916: Adding DNS server 127.0.0.53 to the dns server list [1] 20200612223916: Working Directory is /usr/local/pbx [5] 20200612223917: Starting threads [4] 20200612223917: Join multicast group on address 0.0.0.0 [5] 20200612223917: Set scheduling priority to 1 [5] 20200612223917: Set process affinity to 1 [2] 20200612223917: Trunk status XXXX SIP (1) changed to "200 OK" (1800 s) [5] 20200612223917: Ignore traffic from user-agents "CSipSimple" "Gulp" "PortSIP" "SIVuS" "VaxIPUserAgent" "VaxSIPUserAgent" "friendly-request" "friendly-scanner" "iWar" "pplsip" "sip-scan" "siparmyknife" "sipcli" "sipsak" "sipv" "sipvicious" "smap" "sundayddr" [6] 20200612224018: Refreshing ec2-XXXXXXXX-XXX.ap-southeast-2.compute.amazonaws.com [8] 20200612224018: Create new account [7] 20200612224018: Retrieved directory "{\n \"SZq4NtVzhH4\": \"https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417\",\n \"keyChange\": \"https://acme-v02.api.letsencrypt.org/acme/key-change\",\n \"meta\": {\n \"caaIdentities\": [\n \"letsencrypt.org\"\n ],\n \"termsOfService\": \"https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf\",\n \"website\": \"https://letsencrypt.org\"\n },\n \"newAccount\": \"https://acme-v02.api.letsencrypt.org/acme/new-acct\",\n \"newNonce\": \"https://acme-v02.api.letsencrypt.org/acme/new-nonce\",\n \"newOrder\": \"https://acme-v02.api.letsencrypt.org/acme/new-order\",\n \"revokeCert\": \"https://acme-v02.api.letsencrypt.org/acme/revoke-cert\"\n}" [8] 20200612224018: New order ec2-XXXXXXXX-XXX.ap-southeast-2.compute.amazonaws.com [8] 20200612224019: Received key for new order (1708 bytes) [8] 20200612224019: Send new order for ec2-XXXXXXXX-XXX.ap-southeast-2.compute.amazonaws.com [7] 20200612224020: Received nonce 0101V0aFyvUoqy_iQngBKVNQsFBlNpa0JV2hEU7i1HL3pKQ [8] 20200612224020: Parse key [8] 20200612224020: Account has location https://acme-v02.api.letsencrypt.org/acme/acct/88555057 [7] 20200612224020: Send to https://acme-v02.api.letsencrypt.org/acme/new-order {"identifiers":[{"type":"dns","value":"ec2-XXXXXXXX-XXX.ap-southeast-2.compute.amazonaws.com"}]} [7] 20200612224021: Received nonce 0101asNpo2MRCnkGQfDqIcnXTFQdDFxoptxaBS09TOZwI60 [2] 20200612224021: Exception for sendPayload {"payload":"eyJpZGVudGlmaWVycyI6W3sidHlwZSI6ImRucyIsInZhbHVlIjoiZWMyLTMtMTA0LTMwLTIxNy5hcC1zb3V0aGVhc3QtMi5jb21wdXRlLmFtYXpvbmF3cy5jb20ifV19","protected":"eyJhbGciOiJSUzI1NiIsImtpZCI6Imh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvODg1NTUwNTciLCJub25jZSI6IjAxMDFWMGFGeXZVb3F5X2lRbmdCS1ZOUXNGQmxOcGEwSlYyaEVVN2kxSEwzcEtRIiwidXJsIjoiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvbmV3LW9yZGVyIn0","signature":"lYoNWgIHpyLIeuPz7_xRC7_kpHGcZclsJMV3f1OJUJFaFS3aEVsZIVWFmz-sZJoUWeyK8wG7LP0Q-ryTov_nvmNN2XkfPFpbimoD7T4qC-UrtTKZRDgQJQzdVDiAhJ4-jLXK42p4qtGzEtG487v4vZN3wCiJ0mz1FQASOQvqlI_bXvr2REjlFK1_2f6N0jpZLSC2METKMzZl-_OGLoiVQNQm0fhGOeMTuhaj7tz6-wp2g26tigoLNwnU1K6XrMP5ijI3hi4MCp6Nixzt_iwB0CWxjoGaAFLgKZ6UiLkzOMQyAh2p-OK4iPX71wzOK_cdpxfnnxHQf8fjJZhIYvH-gg"} This is log level 9 output. Sorry i can not read this. please let me know where is the issue? Quote Link to comment Share on other sites More sharing options...
Vodia PBX Posted June 13, 2020 Report Share Posted June 13, 2020 Ok, after some searching it looks like LetsEncrypt does not issue certificates for this domain name: https://community.letsencrypt.org/t/policy-forbids-issuing-name-for-aws/95246 Quote Link to comment Share on other sites More sharing options...
Vodia support Posted June 13, 2020 Report Share Posted June 13, 2020 Hi, Melanc You will need to purchase a .com or an xyz name, it doesnt realy matter, you just need a FQDN, with godadady you can pay .99 cents for a domain the 1st year and 14.99 anually, however that means you can point 100's of A records to your Vodia PBX phone system and then have let's encrypt create the certs for them. I would recommend checking this link out to give you a general idea how A records work with godaddy. https://www.godaddy.com/help/change-an-a-record-19239 Quote Link to comment Share on other sites More sharing options...
Vodia PBX Posted June 15, 2020 Report Share Posted June 15, 2020 On 6/13/2020 at 11:26 AM, Vodia support said: You will need to purchase a .com or an xyz name, it doesnt realy matter, you just need a FQDN, with godadady you can pay .99 cents for a domain the 1st year and 14.99 anually Subdomains are usually for free if you already have a domain for your company. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.