<div><div dir="auto">Hi David,</div><div dir="auto"><br></div><div dir="auto">The order to create the .pem file would be:</div><div dir="auto"><br></div><div dir="auto">private-key</div><div dir="auto">certificate</div><div dir="auto">intermediate1</div><div dir="auto">intermediate...X</div><div dir="auto"><br></div><br><div class="gmail_quote"><div>On Thu, May 31, 2018 at 15:40 David P <<a href="mailto:davidswalkabout@gmail.com">davidswalkabout@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="auto">Hi Joel,<div dir="auto"><br></div><div dir="auto">I'm on mobile now, but when I looked at the certbot install page for debian-jessie manual install, it links to backports page, and that page warns it's not prod-ready, IIRC.</div><div dir="auto"><br></div><div dir="auto">My EC2 is already in the state described by your steps. The question is how to create wss.pem (and dtls-srtp.pem?) from the pem's installed by certbot.</div><div dir="auto"><br></div><div dir="auto">Cheers,</div><div dir="auto">David</div></div><br><div class="gmail_quote"><div>On Thu, 31 May 2018, 9:55 am Joel Serrano, <<a href="mailto:joel@textplus.com" target="_blank">joel@textplus.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div>Hi David, <div><br></div><div>I don't understand your issues with goal 2 using let's encrypt, that option certainly works and is widely used. W<span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">hat problems are you facing? If you don't have enough confidence on backports you can always download the latest stable release of certbot: <a href="https://certbot.eff.org/lets-encrypt/pip-other" rel="noreferrer" target="_blank">https://certbot.eff.org/lets-encrypt/pip-other</a></span></div><div><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"><br></span></div><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div><span style="text-align:start;text-indent:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"><div><i>Install</i></div></span></div><div><span style="text-align:start;text-indent:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"><div><i>Since it doesn't seem like your operating system has a packaged version of Certbot, you should use our certbot-auto script to get a copy:</i></div></span></div><div><span style="text-align:start;text-indent:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"><div><i><br></i></div></span></div><div><span style="text-align:start;text-indent:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"><div><i>wget <a href="https://dl.eff.org/certbot-auto" rel="noreferrer" target="_blank">https://dl.eff.org/certbot-auto</a></i></div></span></div><div><span style="text-align:start;text-indent:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"><div><i>chmod a+x certbot-auto</i></div></span></div></blockquote><div><br></div><div>But, Certbot themselves are recommending installation on debian jessie using the backports repository:</div><div><br></div><blockquote style="margin:0 0 0 40px;border:none;padding:0px"><div><div><i>Install</i></div></div><div><div><i>Since Certbot is packaged for your system, all you'll need to do is apt-get the following packages.</i></div></div><div><div><i><br></i></div></div><div><div><i>First you'll have to follow the instructions here to enable the Jessie backports repo, if you have not already done so. Then run:</i></div></div><div><div><i><br></i></div></div><div><div><i>$ sudo apt-get install certbot -t jessie-backports</i></div></div></blockquote><div><br></div><div><br></div><div>What are your concerns regarding using certbot installed from jessie-backports?</div><div><br></div><div><br></div><div><br></div><div>Going back to the topic, if you created /etc/freeswitch before installing the packages, the installer will not deploy the vanilla config.</div><div><br></div><div>I assume you installed from packages (as it's the recommended easy way), if so, uninstall them, delete /etc/freeswitch, then install again:</div><div><br></div><div>1- Add signing key and repo (only done once, you should have already done this):</div><div><br></div><div><div>wget -O - <a href="https://files.freeswitch.org/repo/deb/debian/freeswitch_archive_g0.pub" rel="noreferrer" target="_blank">https://files.freeswitch.org/repo/deb/debian/freeswitch_archive_g0.pub</a> | apt-key add - </div><div>echo "deb <a href="http://files.freeswitch.org/repo/deb/freeswitch-1.6/" rel="noreferrer" target="_blank">http://files.freeswitch.org/repo/deb/freeswitch-1.6/</a> jessie main" > /etc/apt/sources.list.d/freeswitch.list</div><div><br></div><div>2- Remove current installation:</div><div><br></div><div>apt-get purge freeswitch*</div><div><br></div><div>3- Make sure /etc/freeswitch doesn't exist:</div><div><br></div><div>rm -rf /etc/freeswitch</div><div><br></div><div>4- Install freeswitch:</div><div><br></div><div>apt-get update && apt-get install -y freeswitch-meta-all</div></div><div><br></div><div><br></div><div>Done! </div><div><br></div><div>You should have /etc/freeswitch deployed, and you can start doing your updates in /etc/freeswitch/sip_profiles etc...</div><div><br></div><div><br></div><div><br></div><div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, May 30, 2018 at 4:33 PM, David P <span><<a href="mailto:davidswalkabout@gmail.com" rel="noreferrer" target="_blank">davidswalkabout@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div>Hi Joel and Branden,<div><br></div><div>I have three goals:</div><div>1) To have an FS install that secures all WebRTC and SIP traffic to it</div><div>2) An install that doesn't require WebRTC users to manually fetch the certificate

<br class="m_8298173246442208733m_7455688021990066964gmail-m_7445166001409672677gmail-Apple-interchange-newline"><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">3) An install that uses only production-ready software</span>

</div><div><br></div><div>For goal 1, Mike and Giovanni have said a Debian Jessie minimal is the best or only choice.</div><div><br></div><div>For goal 2, I'm avoiding gentls_cert and its self-signed certs. As a first attempt, I'm trying to get a free CA cert from LetsEncrypt via certbot. Unfortunately, doing this on debian jessie requires that I use backports that are described as "as-is", so I'm sacrificing goal 3 for the time being.</div><div><br></div><div>In order to inform FS where it can find the private key, cert, and chain, I was planning to introduce soft links to the files that certbot put under /etc/letsencrypt/live/<a href="http://my.domain.com/" rel="noreferrer" target="_blank">my.domain.com/</a></div><div><br></div><div>I'm ready to do that, except that sip_profiles/internal.xml isn't where it normally would be, because I followed <a href="https://freeswitch.org/confluence/display/FREESWITCH/Debian+8+Jessie#highlighter_549778" rel="noreferrer" target="_blank">https://freeswitch.org/confluence/display/FREESWITCH/Debian+8+Jessie#highlighter_549778</a> and created /etc/freeswitch/ without knowing why I should do that. So  /usr/local/freeswitch/  does not exist, unfortunately. Also, echo ${prefix} is blank. So, I did a find from slash for internal.xml and found four matches:</div><div><br></div><div><div>/usr/share/freeswitch/conf/insideout/sip_profiles/internal.xml</div><div>/usr/share/freeswitch/conf/sbc/sbc_profiles/internal.xml</div><div>/usr/share/freeswitch/conf/vanilla/sip_profiles/internal.xml</div><div>/usr/share/freeswitch/conf/vanilla/skinny_profiles/internal.xml</div><div><br></div><div>Which of these should I edit?</div><div><br></div><div>Also, is it necessary to concatenate my private key, cert, and chain into a "wss.pem" as suggested at <a href="https://freeswitch.org/confluence/display/FREESWITCH/WebRTC#highlighter_647427" rel="noreferrer" target="_blank">https://freeswitch.org/confluence/display/FREESWITCH/WebRTC#highlighter_647427</a></div><div><br></div><div>Cheers,</div><div>David</div><span class="m_8298173246442208733m_7455688021990066964gmail-"><div class="gmail_extra"><br><div class="gmail_quote">On Tue, May 29, 2018 at 12:34 PM, Joel Serrano <span><<a href="mailto:joel@textplus.com" rel="noreferrer" target="_blank">joel@textplus.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div>Hi David, <div><br></div><div>So it all depends.. Those docs are just introductions to get a setup "up and running". For example, in the docs you generate self-signed certificates that (although perfectly valid) can give you issues with browsers because their CA is not trusted, etc. Regarding expiration, it all depends, as this is something you choose. </div><div><br></div><div>Going down to your specific problems:</div><div><br></div><div>1- ..${prefix}.. is just a variable, that will be replaced with a value, normally /usr/local/freeswitch, but can be anything (depending on where you installed FS).</div><div>2- When it comes to the "path" that you specify in the config for the certificates, it can also be anything, the important part is that you make sure that the user you run FS with has access to reading those files. If you don't like using ${prefix} you can directly set /path/to/your/certs, just remember double checking the permissions.</div><div>3- When you renew your certificate, you will have to make FS aware of that, I'd have to check but I'm pretty sure that after updating the files a sofia profile rescan should be enough.</div></div></blockquote></div></div></span></div></div>
<br>_________________________________________________________________________<br>
Professional FreeSWITCH Services<br>
<a href="mailto:sales@freeswitch.com" rel="noreferrer" target="_blank">sales@freeswitch.com</a><br>
<a href="https://freeswitch.com" rel="noreferrer noreferrer" target="_blank">https://freeswitch.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="https://freeswitch.com/oss" rel="noreferrer noreferrer" target="_blank">https://freeswitch.com/oss</a><br>
<a href="https://freeswitch.org/confluence" rel="noreferrer noreferrer" target="_blank">https://freeswitch.org/confluence</a><br>
<a href="https://cluecon.com" rel="noreferrer noreferrer" target="_blank">https://cluecon.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org" rel="noreferrer" target="_blank">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" rel="noreferrer noreferrer" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" rel="noreferrer noreferrer" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="https://freeswitch.com" rel="noreferrer noreferrer" target="_blank">https://freeswitch.com</a><br></blockquote></div><br></div></div></div>
_________________________________________________________________________<br>
Professional FreeSWITCH Services<br>
<a href="mailto:sales@freeswitch.com" rel="noreferrer" target="_blank">sales@freeswitch.com</a><br>
<a href="https://freeswitch.com" rel="noreferrer noreferrer" target="_blank">https://freeswitch.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="https://freeswitch.com/oss" rel="noreferrer noreferrer" target="_blank">https://freeswitch.com/oss</a><br>
<a href="https://freeswitch.org/confluence" rel="noreferrer noreferrer" target="_blank">https://freeswitch.org/confluence</a><br>
<a href="https://cluecon.com" rel="noreferrer noreferrer" target="_blank">https://cluecon.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org" rel="noreferrer" target="_blank">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" rel="noreferrer noreferrer" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" rel="noreferrer noreferrer" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="https://freeswitch.com" rel="noreferrer noreferrer" target="_blank">https://freeswitch.com</a></blockquote></div>
_________________________________________________________________________<br>
Professional FreeSWITCH Services<br>
<a href="mailto:sales@freeswitch.com" target="_blank">sales@freeswitch.com</a><br>
<a href="https://freeswitch.com" rel="noreferrer" target="_blank">https://freeswitch.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="https://freeswitch.com/oss" rel="noreferrer" target="_blank">https://freeswitch.com/oss</a><br>
<a href="https://freeswitch.org/confluence" rel="noreferrer" target="_blank">https://freeswitch.org/confluence</a><br>
<a href="https://cluecon.com" rel="noreferrer" target="_blank">https://cluecon.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" rel="noreferrer" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" rel="noreferrer" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="https://freeswitch.com" rel="noreferrer" target="_blank">https://freeswitch.com</a></blockquote></div></div>