Zum Hauptinhalt springen
warning

We strongly recommend upgrading your PBX to the latest version rather than using this script method to renew certificates. This script will stop the PBX service for approximately 5-10 minutes during certificate generation and may cause service interruption for your users. Tested on Debian/Ubunutu 24.04

Vodia PBX Certificate Script - Quick Usage Guide

Prerequisites

  • Root access - Script must be run with sudo
  • Port 80 accessible - Must be reachable from internet for Let's Encrypt validation
  • PBX API credentials - Admin username and password
  • Valid domains - Domains must point to your server's IP address
  • DNS resolution - Domains must resolve properly (unless using --skip-dns)

Download the script

wget https://vodia.nyc3.cdn.digitaloceanspaces.com/builds/manual-cert.sh
chmod a+x ./manual-cert.sh

Basic Usage

sudo ./manual-cert.sh -u "https://PBX_ADMIN_URL" -l "admin" -p "password"

Command Line Options

Required Arguments

  • -u, --url - PBX API URL (e.g., https://PBX_ADMIN_URL)
  • -l, --login - PBX username
  • -p, --password - PBX password

Optional Arguments

  • -e, --email - Email for Let's Encrypt notifications (default: admin@vodia-teams.com)
  • -P, --port - HTTP server port (default: 91, recommended: 80)
  • -d, --dir - Certificate base directory (default: /etc/letsencrypt-vodia)
  • --skip-dns - Skip DNS validation (useful for testing)
  • --skip-access - Skip accessibility tests
  • --no-upload - Generate certificates only, don't upload to PBX
  • -h, --help - Show help message

What the Script Does

  1. Fetches domains - Automatically retrieves tenant domains from PBX API
  2. Validates domains - Checks DNS resolution and accessibility
  3. Stops PBX service - Temporarily stops to avoid port conflicts
  4. Generates certificates - Uses Let's Encrypt with HTTP challenge
  5. Restarts PBX service - Brings PBX back online
  6. Uploads certificates - Pushes certificates to PBX via /rest/system/certs API
  7. Creates summary - Generates detailed report of all operations

Example Commands

sudo ./manual-cert.sh -u "https://PBX_ADMIN_URL" -l "admin" -p "password" -P 80

Generate Certificates Only (No Upload)

sudo ./manual-cert.sh -u "https://PBX_ADMIN_URL" -l "admin" -p "password" --no-upload

Testing Mode (Skip Validations)

sudo ./manual-cert.sh -u "https://PBX_ADMIN_URL" -l "admin" -p "password" --skip-dns --skip-access

Custom Email and Port

sudo ./manual-cert.sh -u "https://PBX_ADMIN_URL" -l "admin" -p "password" -e "admin@company.com" -P 80

Output Files

Certificate Storage

  • Base directory: /etc/letsencrypt-vodia/
  • Per-domain folders: /etc/letsencrypt-vodia/[domain]/
  • Certificate files:
    • fullchain.pem - Certificate + intermediate chain
    • privkey.pem - Private key
    • [domain]_fullchain.pem - Named copy of fullchain
    • [domain]_privkey.pem - Named copy of private key

Summary Report

  • Location: /etc/letsencrypt-vodia/certificate_summary.txt
  • Contents: Domain status, expiration dates, file locations

Important Notes

Service Management

  • PBX service temporarily stops during certificate generation
  • Brief downtime expected (typically 30-60 seconds)
  • Automatic restart ensures normal operation resumes

Domain Processing

  • Only valid domains processed - Must resolve in DNS
  • Skips non-resolvable domains with warnings
  • Safe to re-run - Will renew existing certificates

Certificate Details

  • Validity period: 90 days (Let's Encrypt standard)
  • Automatic renewal - Can be scheduled via cron
  • Format: Standard PEM format compatible with Vodia PBX

API Integration

  • Upload endpoint: /rest/system/certs
  • Payload format: {'type':'domain','public':'cert+chain','private':'key'}
  • Authentication: Uses same credentials as domain fetch

Troubleshooting

Common Issues

  • Permission denied - Ensure running with sudo
  • Port conflicts - Make sure port 80/91 is available
  • DNS resolution fails - Check domain DNS settings
  • Upload fails - Verify PBX service is running and credentials are correct

Log Analysis

  • Console output - Real-time progress with timestamps
  • Error messages - Detailed error reporting for debugging
  • Summary report - Complete status of all operations

Security Considerations

  • Credentials - PBX credentials are used for API access
  • File permissions - Certificate files set to 600 (owner read/write only)
  • Root access - Required for certbot and service management
  • Network access - Script makes outbound connections to Let's Encrypt and PBX

Automation

Cron Setup

# Run monthly certificate renewal
0 2 1 * * /path/to/cert.sh -u "https://PBX_ADMIN_URL" -l "admin" -p "password" -P 80