|
|
@@ -159,7 +159,10 @@ example.
|
|
|
:::: tip
|
|
|
<p class="admonition-title">Tip</p>
|
|
|
|
|
|
-Use the dig command to check that the txt record is correct. dig -t txt _acme-challenge.domain.tld
|
|
|
+Use the dig command to check that the txt record is correct.
|
|
|
+```
|
|
|
+dig -t txt _acme-challenge.domain.tld
|
|
|
+```
|
|
|
|
|
|
Output should show:
|
|
|
|
|
|
@@ -167,178 +170,3 @@ Output should show:
|
|
|
_acme-challenge.domain.tld. 1799 IN TXT "PY7ttk6no_5eG7WtAbO6qs5-NzA-Kigko375omKc0nw"
|
|
|
::::
|
|
|
|
|
|
-##### Setup for multiple domains on Let\'s Encrypt
|
|
|
-
|
|
|
-Before setting up multiple domains, make sure you have SSL working on
|
|
|
-your main domain using the instructions above.
|
|
|
-
|
|
|
-**Create shared nginx host file for all domains**
|
|
|
-
|
|
|
-`vim /etc/nginx/includes/fusionpbx-default-config`
|
|
|
-
|
|
|
-Paste the code below into the file
|
|
|
-
|
|
|
- ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
|
|
|
- ssl_ciphers HIGH:!ADH:!MD5:!aNULL;
|
|
|
-
|
|
|
- #letsencrypt
|
|
|
- location /.well-known/acme-challenge {
|
|
|
- root /var/www/letsencrypt;
|
|
|
- }
|
|
|
-
|
|
|
- #REST api
|
|
|
- if ($uri ~* ^.*/api/.*$) {
|
|
|
- rewrite ^(.*)/api/(.*)$ $1/api/index.php?rewrite_uri=$2 last;
|
|
|
- break;
|
|
|
- }
|
|
|
-
|
|
|
- #algo
|
|
|
- rewrite "^.*/provision/algom([A-Fa-f0-9]{12})\.conf" /app/provision/?mac=$1&file=algom%7b%24mac%7d.conf last;
|
|
|
-
|
|
|
- #mitel
|
|
|
- rewrite "^.*/provision/MN_([A-Fa-f0-9]{12})\.cfg" /app/provision/index.php?mac=$1&file=MN_%7b%24mac%7d.cfg last;
|
|
|
- rewrite "^.*/provision/MN_Generic.cfg" /app/provision/index.php?mac=08000f000000&file=MN_Generic.cfg last;
|
|
|
-
|
|
|
- #grandstriam
|
|
|
- rewrite "^.*/provision/cfg([A-Fa-f0-9]{12})(\.(xml|cfg))?$" /app/provision/?mac=$1;
|
|
|
-
|
|
|
- #aastra
|
|
|
- rewrite "^.*/provision/aastra.cfg$" /app/provision/?mac=$1&file=aastra.cfg;
|
|
|
- #rewrite "^.*/provision/([A-Fa-f0-9]{12})(\.(cfg))?$" /app/provision/?mac=$1 last;
|
|
|
-
|
|
|
- #yealink common
|
|
|
- rewrite "^.*/provision/(y[0-9]{12})(\.cfg)?$" /app/provision/index.php?file=$1.cfg;
|
|
|
-
|
|
|
- #yealink mac
|
|
|
- rewrite "^.*/provision/([A-Fa-f0-9]{12})(\.(xml|cfg))?$" /app/provision/index.php?mac=$1 last;
|
|
|
-
|
|
|
- #polycom
|
|
|
- rewrite "^.*/provision/000000000000.cfg$" "/app/provision/?mac=$1&file={%24mac}.cfg";
|
|
|
- #rewrite "^.*/provision/sip_330(\.(ld))$" /includes/firmware/sip_330.$2;
|
|
|
- rewrite "^.*/provision/features.cfg$" /app/provision/?mac=$1&file=features.cfg;
|
|
|
- rewrite "^.*/provision/([A-Fa-f0-9]{12})-sip.cfg$" /app/provision/?mac=$1&file=sip.cfg;
|
|
|
- rewrite "^.*/provision/([A-Fa-f0-9]{12})-phone.cfg$" /app/provision/?mac=$1;
|
|
|
- rewrite "^.*/provision/([A-Fa-f0-9]{12})-registration.cfg$" "/app/provision/?mac=$1&file={%24mac}-registration.cfg";
|
|
|
-
|
|
|
- #cisco
|
|
|
- rewrite "^.*/provision/file/(.*\.(xml|cfg))" /app/provision/?file=$1 last;
|
|
|
-
|
|
|
- #Escene
|
|
|
- rewrite "^.*/provision/([0-9]{1,11})_Extern.xml$" "/app/provision/?ext=$1&file={%24mac}_extern.xml" last;
|
|
|
- rewrite "^.*/provision/([0-9]{1,11})_Phonebook.xml$" "/app/provision/?ext=$1&file={%24mac}_phonebook.xml" last;
|
|
|
-
|
|
|
- access_log /var/log/nginx/access.log;
|
|
|
- error_log /var/log/nginx/error.log;
|
|
|
-
|
|
|
- client_max_body_size 80M;
|
|
|
- client_body_buffer_size 128k;
|
|
|
-
|
|
|
- location / {
|
|
|
- root /var/www/fusionpbx;
|
|
|
- index index.php;
|
|
|
- }
|
|
|
-
|
|
|
- location ~ \.php$ {
|
|
|
- fastcgi_pass unix:/var/run/php/php7.1-fpm.sock;
|
|
|
- #fastcgi_pass 127.0.0.1:9000;
|
|
|
- fastcgi_index index.php;
|
|
|
- include fastcgi_params;
|
|
|
- fastcgi_param SCRIPT_FILENAME /var/www/fusionpbx$fastcgi_script_name;
|
|
|
- }
|
|
|
-
|
|
|
- # Disable viewing .htaccess & .htpassword & .db
|
|
|
- location ~ .htaccess {
|
|
|
- deny all;
|
|
|
- }
|
|
|
- location ~ .htpassword {
|
|
|
- deny all;
|
|
|
- }
|
|
|
- location ~^.+.(db)$ {
|
|
|
- deny all;
|
|
|
- }
|
|
|
-
|
|
|
-**Create a file to contain config for additional domains**
|
|
|
-
|
|
|
-`touch /etc/nginx/includes/fusionpbx-domains`
|
|
|
-
|
|
|
-**make default file read configs for additional domains**
|
|
|
-
|
|
|
-`vim /etc/nginx/sites-available/fusionpbx`
|
|
|
-
|
|
|
-Add the line below at the very end of the file after the trailing \"}\"
|
|
|
-
|
|
|
-`include /etc/nginx/includes/fusionpbx-domains;`
|
|
|
-
|
|
|
-By now you are all set to start using SSL on multiple domains for your
|
|
|
-FusionPBX installation.
|
|
|
-
|
|
|
-**Follow the steps below every time you add a new domain**
|
|
|
-
|
|
|
-Create a conf file for the new domain (replace example.com with your own
|
|
|
-domain)
|
|
|
-
|
|
|
-`vim /etc/letsencrypt/configs/example.com.conf`
|
|
|
-
|
|
|
-Paste this into the .conf file (don\'t forget to change the defaults,
|
|
|
-especially the domain)
|
|
|
-
|
|
|
- # the domain we want to get the cert for;
|
|
|
- # technically it's possible to have multiple of these lines, but it only worked
|
|
|
- # with one domain for me, another one only got one cert, so I would recommend
|
|
|
- # Separate config files per domain.
|
|
|
- domains = my-domain
|
|
|
-
|
|
|
- # increase key size
|
|
|
- rsa-key-size = 2048 # Or 4096
|
|
|
-
|
|
|
- # the current closed beta (as of 2015-Nov-07) is using this server
|
|
|
- server = https://acme-v01.api.letsencrypt.org/directory
|
|
|
-
|
|
|
- # this address will receive renewal reminders
|
|
|
- email = my-email
|
|
|
-
|
|
|
- # turn off the ncurses UI, we want this to be run as a cronjob
|
|
|
- text = True
|
|
|
-
|
|
|
- # authenticate by placing a file in the webroot (under .well-known/acme-upatechallenge/)
|
|
|
- # and then letting LE fetch it
|
|
|
- authenticator = webroot
|
|
|
- webroot-path = /var/www/letsencrypt/
|
|
|
-
|
|
|
-Obtain the cert from Let\'s Encrypt (again, replace example.com with
|
|
|
-your domain)
|
|
|
-
|
|
|
- cd /etc/dehydrated/certs
|
|
|
- /usr/local/sbin/dehydrated -c -f /etc/dehydrated/config
|
|
|
-
|
|
|
-**Set cert to auto-renew with other domains**
|
|
|
-
|
|
|
- cd /etc/fusionpbx
|
|
|
- vim renew-letsencrypt.sh
|
|
|
-
|
|
|
-Add the line below right below where it says \"cd /opt/letsencrypt/\"
|
|
|
-(again replace example.com with your domain)
|
|
|
-
|
|
|
-> /usr/local/sbin/dehydrated -c -f /etc/dehydrated/config
|
|
|
-> /usr/sbin/service nginx restart
|
|
|
-
|
|
|
-Finally, add your new domain to be loaded
|
|
|
-
|
|
|
-`vim /etc/nginx/includes/fusionpbx-domains`
|
|
|
-
|
|
|
-Paste the below at the very end of the file (again replace example.com
|
|
|
-with your domain)
|
|
|
-
|
|
|
- server {
|
|
|
- listen 443 ssl;
|
|
|
- server_name example.com;
|
|
|
- ssl on;
|
|
|
- ssl_certificate /etc/dehydrated/certs/example.com/fullchain.pem;
|
|
|
- ssl_certificate_key /etc/dehydrated/certs/example.com/privkey.pem;
|
|
|
-
|
|
|
- include /etc/nginx/includes/fusionpbx-default-config;
|
|
|
- }
|
|
|
-
|
|
|
-You\'re all set! Restart nginx for changes to take effect
|
|
|
-
|
|
|
-> `service nginx restart`
|
FusionPBX