The new Vicibox 8.1 Certbot

Support forum for the ViciBox ISO Server Install and ISO LiveCD Demo

Moderators: enjay, williamconley, Staydog, mflorell, MJCoate, mcargile, Kumba

The new Vicibox 8.1 Certbot

Postby dspaan » Mon Sep 24, 2018 9:15 am

Certbot SSL setup - /usr/local/bin/vicidial-certbot
- You need a FULLY QUALIFIED DOMAIN NAME (FQDN), I.E. vicibox.somedomain.com
- SSL only works with internet IPs in general
- LetsEncrypt SSL certs expire after 90 days, but will set a crontab entry for you
- Updates apache and asterisk for you
- Attempts to do some basic network checks, but it's not super strict
- If you don't have a static IP, you will need to update the DNS for your FQDN when it changes, otherwise this will just break
- Not the most foolproof script, but it works

Long story short you need to be able to go to http://vicibox.somedomain.com from your couch at home and be able to log into the ViciBox web interface across the internet before certbot will even begin to work. Once the web interface is up and the FQDN is correct, certbot will work just fine.


I ran:
cd /usr/local/bin
./vicibox-certbot

First thing i noticed that certbot can't provide a cert because i had closed off allowed services http and https in yast. We also had this problem on our servers before and created a special script for it that opens and closes the firewall ports when issueing a new certificate and renewing. Does Vicibox 8.1 have something similar?

After i opened those ports i succesfully installed a certificate and allowed the script to configure all the needed parts. But when i visit the URL with https:// i get this error: NET::ERR_CERT_COMMON_NAME_INVALID

This is what i see in the apache error log:

[Mon Sep 24 16:02:37.387192 2018] [ssl:warn] [pid 1149] AH01906: corpnew.vicihost.com:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Mon Sep 24 16:02:37.387211 2018] [ssl:warn] [pid 1149] AH01909: corpnew.vicihost.com:443:0 server certificate does NOT include an ID which matches the server name


And i don't see any vhost with my FQDN in /etc/apache2/vhosts.d
Regards, Dennis

Vicibox 9.0.1
Version: 2.14b0.5
SVN Version: 3199
DB Schema Version: 1588
Build: 200310-1801
dspaan
 
Posts: 1374
Joined: Fri Aug 21, 2009 1:40 pm
Location: The Netherlands

Re: The new Vicibox 8.1 Certbot

Postby williamconley » Mon Sep 24, 2018 10:37 am

1) look in /etc/letsencrypt/live to see if you have any certs

2) Use the fullchain (this is the cert with all chain info) and privkey links in your ssl conf file to make it work. After you've altered the apache conf file pointing to these sym links, when certbot updates the new cert, it'll "just work" because they'll alter the sym link to point to the new cert.

3) Obviously report your findings in case there was a hiccup in the script somewhere: UNLESS you never actually got the cert and just didn't see the error message.
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20018
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

Re: The new Vicibox 8.1 Certbot

Postby dspaan » Mon Sep 24, 2018 10:55 am

Hey Bill,

/etc/letsencrypt doesn't even exist...
Regards, Dennis

Vicibox 9.0.1
Version: 2.14b0.5
SVN Version: 3199
DB Schema Version: 1588
Build: 200310-1801
dspaan
 
Posts: 1374
Joined: Fri Aug 21, 2009 1:40 pm
Location: The Netherlands

Re: The new Vicibox 8.1 Certbot

Postby williamconley » Mon Sep 24, 2018 11:00 am

Unless there's some reason it's different on 8.1 than when I manually install, or they're using some other service ... that means you never got a cert. Try running the commands from the script manually until you hit an error?
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20018
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

Re: The new Vicibox 8.1 Certbot

Postby dspaan » Mon Sep 24, 2018 11:27 am

It seems the new path is /etc/certbot/live underneath it i have a folder for my FQDN and underneath that my fullchain.pem
Regards, Dennis

Vicibox 9.0.1
Version: 2.14b0.5
SVN Version: 3199
DB Schema Version: 1588
Build: 200310-1801
dspaan
 
Posts: 1374
Joined: Fri Aug 21, 2009 1:40 pm
Location: The Netherlands

Re: The new Vicibox 8.1 Certbot

Postby williamconley » Mon Sep 24, 2018 12:00 pm

is there also a key?
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20018
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

Re: The new Vicibox 8.1 Certbot

Postby dspaan » Mon Sep 24, 2018 12:29 pm

Yes:

README cert.pem chain.pem fullchain.pem privkey.pem
Regards, Dennis

Vicibox 9.0.1
Version: 2.14b0.5
SVN Version: 3199
DB Schema Version: 1588
Build: 200310-1801
dspaan
 
Posts: 1374
Joined: Fri Aug 21, 2009 1:40 pm
Location: The Netherlands

Re: The new Vicibox 8.1 Certbot

Postby williamconley » Mon Sep 24, 2018 12:43 pm

fullchain.pem privkey.pem are the two you use. fullchain is the key (with everything included) and privkey is the key. plug those in to the conf file where crt and key are from the dummy cert and you're done.
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20018
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

Re: The new Vicibox 8.1 Certbot

Postby Kumba » Mon Sep 24, 2018 12:47 pm

dspaan wrote:First thing i noticed that certbot can't provide a cert because i had closed off allowed services http and https in yast. We also had this problem on our servers before and created a special script for it that opens and closes the firewall ports when issueing a new certificate and renewing. Does Vicibox 8.1 have something similar?


Nope. It's a basic script designed to just generate LetsEncrypt SSL's and try to install them. So you'll need to modify it to your liking.


dspaan wrote:After i opened those ports i succesfully installed a certificate and allowed the script to configure all the needed parts. But when i visit the URL with https:// i get this error: NET::ERR_CERT_COMMON_NAME_INVALID

This is what i see in the apache error log:

[Mon Sep 24 16:02:37.387192 2018] [ssl:warn] [pid 1149] AH01906: corpnew.vicihost.com:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Mon Sep 24 16:02:37.387211 2018] [ssl:warn] [pid 1149] AH01909: corpnew.vicihost.com:443:0 server certificate does NOT include an ID which matches the server name


And i don't see any vhost with my FQDN in /etc/apache2/vhosts.d


Can you show me what your /etc/apache2/vhosts.d/1111-default-ssl.conf looks like after the script ran, more specifically the 3 SSL lines that define paths to the certs? And what the server= line from /etc/certbot/cli.ini is?
Kumba
 
Posts: 939
Joined: Tue Oct 16, 2007 11:44 pm
Location: Florida

Re: The new Vicibox 8.1 Certbot

Postby dspaan » Mon Sep 24, 2018 4:57 pm

Code: Select all
<VirtualHost _default_:443>
        ServerAdmin support@vicidial.com
        ServerName corpnew.vicihost.com
        #ServerAlias
        DocumentRoot /srv/www/htdocs
        ErrorLog /var/log/apache2/error_log
        #CustomLog /var/log/apache2/access_log combined
        CustomLog /dev/null combined
        HostnameLookups Off
        UseCanonicalName Off
        ServerSignature Off
        TraceEnable Off
        Include /etc/apache2/conf.d/*.conf
        DirectoryIndex index.html index.php index.htm

        SSLEngine on
        SSLCertificateFile /etc/apache2/ssl.crt/vicibox.crt
        #SSLCACertificateFile /etc/apache2/ssl.crt/CA_chain.crt
        SSLCertificateKeyFile /etc/apache2/ssl.key/vicibox.key

        <FilesMatch "\.(cgi|shtml|phtml|php)$">
                SSLOptions +StdEnvVars
        </FilesMatch>

         BrowserMatch "MSIE [2-5]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0

        <Files ~ "^\.ht">
                Require all denied
        </Files>
        <Files ~ "opcache.php">
                Require ip 10.0.0.0/8 192.168.0.0/16 172.16.0.0/12 127.0.0.1
        </Files>

        <Directory "/srv/www/htdocs">
                Options Indexes FollowSymLinks
                AllowOverride None
                Require all granted
        </Directory>

        SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0

</VirtualHost>


/etc/certbot/cli.ini:

Code: Select all
# The staging/testing server
server = https://acme-v01.api.letsencrypt.org/directory
# The production server.
Regards, Dennis

Vicibox 9.0.1
Version: 2.14b0.5
SVN Version: 3199
DB Schema Version: 1588
Build: 200310-1801
dspaan
 
Posts: 1374
Joined: Fri Aug 21, 2009 1:40 pm
Location: The Netherlands

Re: The new Vicibox 8.1 Certbot

Postby Kumba » Mon Sep 24, 2018 5:12 pm

Found the issue. In vicibox-certbot I have:

APACHE_CONF="/etc/apache2/vhosts/1111-default-ssl.conf"

when it should be:

APACHE_CONF="/etc/apache2/vhosts.d/1111-default-ssl.conf"

For your issue change the three SSL lines in 1111-default-ssl.conf to be like this:

SSLCertificateFile /etc/certbot/live/$FQDN/cert.pem
SSLCACertificateFile /etc/certbot/live/<FQDN>/fullchain.pem
SSLCertificateKeyFile /etc/certbot/live/<FQDN>/privkey.pem

Make sure you replace <FQDN> with your fully qualified domain name.

Already made that correction in the image so that'll be in v.8.1.1 which is always the wrap-up release to the dot ohhhh (.0) release. I've also gone ahead and started the ViciBox v.8.1 bugfix thread and documented this fixup.
Kumba
 
Posts: 939
Joined: Tue Oct 16, 2007 11:44 pm
Location: Florida

Re: The new Vicibox 8.1 Certbot

Postby dspaan » Mon Sep 24, 2018 5:19 pm

Yup, it's working now! thnx.
Regards, Dennis

Vicibox 9.0.1
Version: 2.14b0.5
SVN Version: 3199
DB Schema Version: 1588
Build: 200310-1801
dspaan
 
Posts: 1374
Joined: Fri Aug 21, 2009 1:40 pm
Location: The Netherlands

Re: The new Vicibox 8.1 Certbot

Postby dspaan » Mon Sep 24, 2018 5:50 pm

Kumba, maybe you could add to the install script a choice to redirect all http traffic to https?
Regards, Dennis

Vicibox 9.0.1
Version: 2.14b0.5
SVN Version: 3199
DB Schema Version: 1588
Build: 200310-1801
dspaan
 
Posts: 1374
Joined: Fri Aug 21, 2009 1:40 pm
Location: The Netherlands

Re: The new Vicibox 8.1 Certbot

Postby Kumba » Mon Sep 24, 2018 7:08 pm

dspaan wrote:Kumba, maybe you could add to the install script a choice to redirect all http traffic to https?


The problem is if SSL really isn't working right then you have kind of crippled your server. Everything will come up saying security warning and if you aren't experienced enough to know that you'll think bad things happened. Therein lies the crux of the problem. Balancing advanced things from those who know very little.

That's why the certbot script stops after generating an SSL and putting it into apache and Asterisk. There's just too many different ways that things can break that it's hard to know what is and isn't set-up correctly.

I might look at doing some sort of a secondary script or something, but right now I wouldn't want forced SSL to be part of the initial setup. I'll have to think about how to best handle that.

If you want to add that on your own, you can try putting this in /etc/apache2/vhosts.d/1111-default.conf after the SSL section:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{SERVER_NAME}/$1 [R,L]

- OR -

Redirect / https://<FQDN>/
Kumba
 
Posts: 939
Joined: Tue Oct 16, 2007 11:44 pm
Location: Florida

Re: The new Vicibox 8.1 Certbot

Postby dspaan » Tue Sep 25, 2018 2:32 am

Thanks got it working with the redirect. You could also just add that line to the 1111-default.conf but leave it commented out and add an instruction. Better then nothing.
Regards, Dennis

Vicibox 9.0.1
Version: 2.14b0.5
SVN Version: 3199
DB Schema Version: 1588
Build: 200310-1801
dspaan
 
Posts: 1374
Joined: Fri Aug 21, 2009 1:40 pm
Location: The Netherlands

Re: The new Vicibox 8.1 Certbot

Postby Kumba » Tue Sep 25, 2018 12:34 pm

dspaan wrote:Thanks got it working with the redirect. You could also just add that line to the 1111-default.conf but leave it commented out and add an instruction. Better then nothing.


Good point. I've added the mod rewrite part to 1111-default.conf and put a note about it in vicibox-certbot. I also changed the default renewal period to be every Sunday at midnight as well as added an apache soft reload after it. If the SSL certificate is renewed then Apache needs to reload it. It'll be in ViciBox v.8.1.1.
Kumba
 
Posts: 939
Joined: Tue Oct 16, 2007 11:44 pm
Location: Florida

Re: The new Vicibox 8.1 Certbot

Postby alexgrad » Mon Oct 01, 2018 3:10 pm

vicibox 8.1.1

while running vicibox-certbot

- Congratulations! Your certificate and chain have been saved at
/etc/certbot/live/aaa.bbb.ccc/fullchain.pem. Your cert will
expire on 2018-12-30. To obtain a new or tweaked version of this
certificate in the future, simply run certbot again. To
non-interactively renew *all* of your certificates, run "certbot
renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/certbot. You should make a secure
backup of this folder now. This configuration directory will also
contain certificates and private keys obtained by Certbot so making
regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

done.

Do you want to enable the new SSL certificate in Apache/Asterisk? (N/y) : y
/usr/local/bin/vicibox-certbot: line 176: syntax error in conditional expression: unexpected token `;'
/usr/local/bin/vicibox-certbot: line 176: syntax error near `;'
/usr/local/bin/vicibox-certbot: line 176: ` if [[ `/sbin/service apache2 status` == 0]]; then'

1. incorrect check in line 176. check on apache status, but reload asterisk
asterisk is not started by systemd service, so
if [ `pgrep "^asterisk$" |wc -l` -gt 0 ]; then

2. for apache should be
/sbin/service apache2 status >/dev/null 2>&1
if [[ $? == 0 ]]; then
alexgrad
 
Posts: 13
Joined: Thu Aug 23, 2018 11:09 am

Re: The new Vicibox 8.1 Certbot

Postby alexgrad » Mon Oct 01, 2018 3:12 pm

/sbin/service asterisk -rx 'module reload http'
should be replaced to
/usr/sbin/rasterisk -x 'module reload http'
alexgrad
 
Posts: 13
Joined: Thu Aug 23, 2018 11:09 am

Re: The new Vicibox 8.1 Certbot

Postby alexgrad » Mon Oct 01, 2018 3:23 pm

echo '0 0 * * 0 $CERTBOT_BIN -n --webroot renew >/dev/null 2>&1' >> /tmp/rootcron
should be replaced to
echo "0 0 * * 0 $CERTBOT_BIN -n --webroot renew >/dev/null 2>&1" >> /tmp/rootcron
alexgrad
 
Posts: 13
Joined: Thu Aug 23, 2018 11:09 am

Re: The new Vicibox 8.1 Certbot

Postby alexgrad » Mon Oct 01, 2018 3:27 pm

sed -i "/SSLCertificateKeyFile/c\\SSLCertificateKeyFile /etc/certbot/live/<FQDN>/privkey.pem" $APACHE_CONF
sed -i "/SSLCACertificateFile/c\\SSLCACertificateFile /etc/certbot/live/<FQDN>/fullchain.pem" $APACHE_CONF

should be replaced to

sed -i "/SSLCertificateKeyFile/c\\SSLCertificateKeyFile /etc/certbot/live/$FQDN/privkey.pem" $APACHE_CONF
sed -i "/SSLCACertificateFile/c\\SSLCACertificateFile /etc/certbot/live/$FQDN/fullchain.pem" $APACHE_CONF
alexgrad
 
Posts: 13
Joined: Thu Aug 23, 2018 11:09 am

Re: The new Vicibox 8.1 Certbot

Postby alexgrad » Mon Oct 01, 2018 3:54 pm

should be added to vicibox-certbot
echo " also need to add rewrite to the APACHE_MODULES variable by editing /etc/sysconfig/apache2"
alexgrad
 
Posts: 13
Joined: Thu Aug 23, 2018 11:09 am

Re: The new Vicibox 8.1 Certbot

Postby Kumba » Mon Oct 01, 2018 10:36 pm

Blah. And this is what happens when you get interrupted during the day while doing thinking stuff. Anyways it's been corrected and tested. I also added a part so that it doesn't re-insert itself into the crontab if you keep re-running it and it tab spaces the apache config file to match the rest of it. So that's now fixed and will be in v.8.1.2.

It usually takes 3-4 versions to get everything tuned up. :/
Kumba
 
Posts: 939
Joined: Tue Oct 16, 2007 11:44 pm
Location: Florida

Re: The new Vicibox 8.1 Certbot

Postby alexgrad » Tue Oct 02, 2018 2:02 pm

Kumba wrote:So that's now fixed and will be in v.8.1.2.

I see v.8.1.2 released.
Are there any other changes in v.8.1.2?
I do not want to reinstall if it is only these changes.

Could you, please, add a topic "ViciBox v.8.1 Changelog" and documents all changes in minor versions, like
=== Changes from ViciBox v.8.1 to ViciBox v.8.1.1 ===
...
=== Changes from ViciBox v.8.1.1 to ViciBox v.8.1.2 ===
alexgrad
 
Posts: 13
Joined: Thu Aug 23, 2018 11:09 am

Re: The new Vicibox 8.1 Certbot

Postby Kumba » Tue Oct 02, 2018 2:36 pm

alexgrad wrote:
Kumba wrote:So that's now fixed and will be in v.8.1.2.

I see v.8.1.2 released.
Are there any other changes in v.8.1.2?
I do not want to reinstall if it is only these changes.

Could you, please, add a topic "ViciBox v.8.1 Changelog" and documents all changes in minor versions, like
=== Changes from ViciBox v.8.1 to ViciBox v.8.1.1 ===
...
=== Changes from ViciBox v.8.1.1 to ViciBox v.8.1.2 ===


The change log is /etc/vicibox-version and v.8.1.2 is mostly just vicibox-certbot fixups with a few commented apache config directives. Most of the release versions after the initial .0 release are for bug fixes. There might be some additional things here and there but they aren't major.
Kumba
 
Posts: 939
Joined: Tue Oct 16, 2007 11:44 pm
Location: Florida

Re: The new Vicibox 8.1 Certbot

Postby alexgrad » Tue Oct 02, 2018 3:35 pm

Kumba wrote:The change log is /etc/vicibox-version and v.8.1.2

To look at it I have to download a whole ISO.
Or is it possible to update ViciBox like 'zypper up'?
alexgrad
 
Posts: 13
Joined: Thu Aug 23, 2018 11:09 am

Re: The new Vicibox 8.1 Certbot

Postby Kumba » Tue Oct 02, 2018 6:02 pm

Doing 'zypper up' will update the base OS. It won't do anything with the ViciDial SVN codebase or do anything with the handful of ViciBox related scripts and configs. So you can monitor OpenSuSE for changes to OpenSuSE Leap 42.3 and get the OS updates and what not. You can monitor the ViciDial SVN server to get any new changes and additions there. And I'll try to copy vicibox-version to http://download.vicidial.com/vicibox/se ... version8_1 whenever I release a new update.

But the only script in ViciBox used after install is VB-firewall.pl and /etc/sysconfig/scripts/SuSEfirewall2-custom. So whenever there's a bugfix to one of the ViciBox scripts or these they'll be posted in the ViciBox v.8.1 bugfix thread. All the minor stuff like the commented optional apache configs added in ViciBox v.8.1.2 won't be added to the bugfix thread cause it's such a minor thing.
Kumba
 
Posts: 939
Joined: Tue Oct 16, 2007 11:44 pm
Location: Florida

Re: The new Vicibox 8.1 Certbot

Postby alexgrad » Wed Oct 03, 2018 4:29 pm

Kumba wrote:And I'll try to copy vicibox-version to http://download.vicidial.com/vicibox/se ... version8_1 whenever I release a new update.

Thank you.

By the way the Asterisk does not reload TLS certificates on "module reload http" if http.conf was not modified.
There is patch on review which fixes it
https://gerrit.asterisk.org/#/c/asterisk/+/10395/

So the cron should modify http.conf file
echo '11 0 * * 0 /usr/sbin/asterisk -rx "module reload http" >/dev/null 2>&1' >> /tmp/rootcron
should be replaced to
echo "11 0 * * 0 touch $ASTERISK_CONF; /usr/sbin/asterisk -rx 'module reload http' >/dev/null 2>&1" >> /tmp/rootcron
alexgrad
 
Posts: 13
Joined: Thu Aug 23, 2018 11:09 am

Re: The new Vicibox 8.1 Certbot

Postby Kumba » Wed Oct 03, 2018 9:15 pm

alexgrad wrote:
Kumba wrote:And I'll try to copy vicibox-version to http://download.vicidial.com/vicibox/se ... version8_1 whenever I release a new update.

Thank you.

By the way the Asterisk does not reload TLS certificates on "module reload http" if http.conf was not modified.
There is patch on review which fixes it
https://gerrit.asterisk.org/#/c/asterisk/+/10395/

So the cron should modify http.conf file
echo '11 0 * * 0 /usr/sbin/asterisk -rx "module reload http" >/dev/null 2>&1' >> /tmp/rootcron
should be replaced to
echo "11 0 * * 0 touch $ASTERISK_CONF; /usr/sbin/asterisk -rx 'module reload http' >/dev/null 2>&1" >> /tmp/rootcron



Yeah not really sure how to handle that one. Best approach would just be to bug-patch asterisk and call it a day once they settle down on a patch.

I went ahead and added it to the bugfix thread.
Kumba
 
Posts: 939
Joined: Tue Oct 16, 2007 11:44 pm
Location: Florida

Re: The new Vicibox 8.1 Certbot

Postby dspaan » Tue Nov 13, 2018 3:25 pm

I just did a new Vicibox 8.1.2 install and ran the certbot script and my cert is working fine. Only i noticded there is nothing that renews the cert in the crontab while the instruction says:

Certbot SSL setup - /usr/local/bin/vicidial-certbot
- You need a FULLY QUALIFIED DOMAIN NAME (FQDN), I.E. vicibox.somedomain.com
- SSL only works with internet IPs in general
- LetsEncrypt SSL certs expire after 90 days, but will set a crontab entry for you


I found an instruction in this thread:

viewtopic.php?f=8&t=37686

The last thing to do is to set certbot to automatically renew the SSL certificate before it expires. This is done with some simple crontab entries like the following:
--------
### Renew SSL certificate monthly
0 5 1 * * /usr/bin/certbot certonly > /var/log/certbot.log
5 5 1 * * /usr/sbin/apache2ctl -k graceful >/dev/null 2>&1
--------
This will cause Certbot to renew the certificate at 5am on the 1st day of the month, and then reload the Apache configuration 5 minutes after. That way you will always have a valid certificate. If you do not do this, then the certificate will expire in a few months. I believe letsencrypt gives you 60 days for each cert, however I'm sure someone will correct me if I'm wrong. Regardless, the certs should be checked monthly. If a renewal is not needed, then certbot will simply exit and apache will harmlessly reload.


Is this still correct?
Regards, Dennis

Vicibox 9.0.1
Version: 2.14b0.5
SVN Version: 3199
DB Schema Version: 1588
Build: 200310-1801
dspaan
 
Posts: 1374
Joined: Fri Aug 21, 2009 1:40 pm
Location: The Netherlands

Re: The new Vicibox 8.1 Certbot

Postby thephaseusa » Sat Nov 24, 2018 8:28 am

Should be. Let’s try it and see.

I have certbot on 3 boxes and I need to get that crontab entry in there too.

JM
thephaseusa
 
Posts: 345
Joined: Tue May 16, 2017 2:23 pm

Re: The new Vicibox 8.1 Certbot

Postby dspaan » Sun Dec 30, 2018 4:54 pm

Hi,

I found out that if you uncomment these lines in 1111-default.conf the links to recording weblinks also get forced to https and gives you a warning SSL page. Is there a way to make an exception for recording links?

Code: Select all
        ### To force everything to SSL uncomment the following
        ##RewriteEngine On
        ##RewriteCond %{HTTPS} off
        ##RewriteRule (.*) https://%{SERVER_NAME}/$1 [R,L]
Regards, Dennis

Vicibox 9.0.1
Version: 2.14b0.5
SVN Version: 3199
DB Schema Version: 1588
Build: 200310-1801
dspaan
 
Posts: 1374
Joined: Fri Aug 21, 2009 1:40 pm
Location: The Netherlands

Re: The new Vicibox 8.1 Certbot

Postby williamconley » Sun Dec 30, 2018 5:05 pm

System Settings -> Log Recording Access

This should change the access method in a way that would allow https passthrough.
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20018
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

Re: The new Vicibox 8.1 Certbot

Postby dspaan » Mon Dec 31, 2018 7:23 am

If i enable that i get a forbidden page when i want to download a recording. Do i need to change anything in vicirecord.conf?
Regards, Dennis

Vicibox 9.0.1
Version: 2.14b0.5
SVN Version: 3199
DB Schema Version: 1588
Build: 200310-1801
dspaan
 
Posts: 1374
Joined: Fri Aug 21, 2009 1:40 pm
Location: The Netherlands

Re: The new Vicibox 8.1 Certbot

Postby williamconley » Thu Jan 03, 2019 3:28 am

I don't think I've ever had that problem. Did you already make changes?

Check the apache log and see if it'll give you the source of the permission issue ...
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20018
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

Re: The new Vicibox 8.1 Certbot

Postby dspaan » Fri Jan 04, 2019 10:43 am

I figured out what the problem was with the forbidden page. After that i had to give myself permission to access recordings but then i have the same problem again. When i click a recording link i get this:

Image

Of course i can bypass this by clicking advanced and continue but it's a hassle.
Regards, Dennis

Vicibox 9.0.1
Version: 2.14b0.5
SVN Version: 3199
DB Schema Version: 1588
Build: 200310-1801
dspaan
 
Posts: 1374
Joined: Fri Aug 21, 2009 1:40 pm
Location: The Netherlands

Re: The new Vicibox 8.1 Certbot

Postby williamconley » Fri Jan 04, 2019 12:38 pm

You are apparently accessing this page with an incorrect domain name. What is the domain name in this request (using the browser's developer's tools to get the request info) vs the name of your cert? This error is explicitly saying that they don't match if I'm reading the error correctly. I didn't think this page would "redirect" at all, and I also don't think it would have a background function to pull file(s) but that may be wrong. The dev tools will tell you, though.
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20018
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

Re: The new Vicibox 8.1 Certbot

Postby dspaan » Sat Jan 05, 2019 8:38 am

The domain name is the server ip because that's the only way to access recordings. So to summerize:

-The vicidial server is accessed through https and has a domain name.
-The links to the recordings have an IP in the url and http instead of https
-I can change the links to the recordings so they show a domain name through the server page recording url setting and use https flag in the cronjob but then i can't access the recordings anymore from the QC modify pages
Regards, Dennis

Vicibox 9.0.1
Version: 2.14b0.5
SVN Version: 3199
DB Schema Version: 1588
Build: 200310-1801
dspaan
 
Posts: 1374
Joined: Fri Aug 21, 2009 1:40 pm
Location: The Netherlands

Re: The new Vicibox 8.1 Certbot

Postby williamconley » Sat Jan 05, 2019 5:36 pm

Does this same concept apply if you push the files to an FTP server using the vicidial ftp script? This would centrally locate the files and override the URL to a domain and likely cause all links to be the same without any overrides caused by "which server is this file on". You could try it with a single file and see if that fixes the problem while awaiting a bug fix on QC.
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20018
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)


Return to ViciBox Server Install and Demo

Who is online

Users browsing this forum: No registered users and 47 guests