warning
We strongly recommend upgrading your PBX to the latest version rather than using this script method to renew certificates. This script will stop the PBX service for approximately 5-10 minutes during certificate generation and may cause service interruption for your users. Tested on Debian/Ubunutu 24.04
Vodia PBX Certificate Script - Quick Usage Guide
Prerequisites
- Root access - Script must be run with
sudo
- Port 80 accessible - Must be reachable from internet for Let's Encrypt validation
- PBX API credentials - Admin username and password
- Valid domains - Domains must point to your server's IP address
- DNS resolution - Domains must resolve properly (unless using
--skip-dns
)
Download the script
wget https://vodia.nyc3.cdn.digitaloceanspaces.com/builds/manual-cert.sh
chmod a+x ./manual-cert.sh
Basic Usage
sudo ./manual-cert.sh -u "https://PBX_ADMIN_URL" -l "admin" -p "password"
Command Line Options
Required Arguments
-u, --url
- PBX API URL (e.g.,https://PBX_ADMIN_URL
)-l, --login
- PBX username-p, --password
- PBX password
Optional Arguments
-e, --email
- Email for Let's Encrypt notifications (default:admin@vodia-teams.com
)-P, --port
- HTTP server port (default:91
, recommended:80
)-d, --dir
- Certificate base directory (default:/etc/letsencrypt-vodia
)--skip-dns
- Skip DNS validation (useful for testing)--skip-access
- Skip accessibility tests--no-upload
- Generate certificates only, don't upload to PBX-h, --help
- Show help message
What the Script Does
- Fetches domains - Automatically retrieves tenant domains from PBX API
- Validates domains - Checks DNS resolution and accessibility
- Stops PBX service - Temporarily stops to avoid port conflicts
- Generates certificates - Uses Let's Encrypt with HTTP challenge
- Restarts PBX service - Brings PBX back online
- Uploads certificates - Pushes certificates to PBX via
/rest/system/certs
API - Creates summary - Generates detailed report of all operations
Example Commands
Standard Usage (Recommended)
sudo ./manual-cert.sh -u "https://PBX_ADMIN_URL" -l "admin" -p "password" -P 80
Generate Certificates Only (No Upload)
sudo ./manual-cert.sh -u "https://PBX_ADMIN_URL" -l "admin" -p "password" --no-upload
Testing Mode (Skip Validations)
sudo ./manual-cert.sh -u "https://PBX_ADMIN_URL" -l "admin" -p "password" --skip-dns --skip-access
Custom Email and Port
sudo ./manual-cert.sh -u "https://PBX_ADMIN_URL" -l "admin" -p "password" -e "admin@company.com" -P 80
Output Files
Certificate Storage
- Base directory:
/etc/letsencrypt-vodia/
- Per-domain folders:
/etc/letsencrypt-vodia/[domain]/
- Certificate files:
fullchain.pem
- Certificate + intermediate chainprivkey.pem
- Private key[domain]_fullchain.pem
- Named copy of fullchain[domain]_privkey.pem
- Named copy of private key
Summary Report
- Location:
/etc/letsencrypt-vodia/certificate_summary.txt
- Contents: Domain status, expiration dates, file locations
Important Notes
Service Management
- PBX service temporarily stops during certificate generation
- Brief downtime expected (typically 30-60 seconds)
- Automatic restart ensures normal operation resumes
Domain Processing
- Only valid domains processed - Must resolve in DNS
- Skips non-resolvable domains with warnings
- Safe to re-run - Will renew existing certificates
Certificate Details
- Validity period: 90 days (Let's Encrypt standard)
- Automatic renewal - Can be scheduled via cron
- Format: Standard PEM format compatible with Vodia PBX
API Integration
- Upload endpoint:
/rest/system/certs
- Payload format:
{'type':'domain','public':'cert+chain','private':'key'}
- Authentication: Uses same credentials as domain fetch
Troubleshooting
Common Issues
- Permission denied - Ensure running with
sudo
- Port conflicts - Make sure port 80/91 is available
- DNS resolution fails - Check domain DNS settings
- Upload fails - Verify PBX service is running and credentials are correct
Log Analysis
- Console output - Real-time progress with timestamps
- Error messages - Detailed error reporting for debugging
- Summary report - Complete status of all operations
Security Considerations
- Credentials - PBX credentials are used for API access
- File permissions - Certificate files set to 600 (owner read/write only)
- Root access - Required for certbot and service management
- Network access - Script makes outbound connections to Let's Encrypt and PBX
Automation
Cron Setup
# Run monthly certificate renewal
0 2 1 * * /path/to/cert.sh -u "https://PBX_ADMIN_URL" -l "admin" -p "password" -P 80