Create a Let's Encrypt SSL certificate for FusionPBX on Debian 9

Let's Encrypt

This assumes FusionPBX was installed using this FusionPBX install guide or the public install script.  This procedure should work for root domains, subdomains, and wildcards.

Tested using:

* Certbot v0.28 (included with Debian 9)
* Fusionpbx 4.4
* Debian 9
* Nginx

Install
apt install certbot

Create verification directory if it does not already exist

mkdir -p /var/www/letsencrypt
chown -R www-data. /var/www/letsencrypt

Edit nginx to redirect the verification directory and use http port 80.

nano /etc/nginx/sites-available/fusionpbx
server {
    listen 80;
    server_name fusionpbx;

    #redirect letsencrypt
    location ^~ /.well-known/acme-challenge {
        default_type "text/plain";
        auth_basic "off";
        alias /var/www/letsencrypt;
    }
systemctl reload nginx
Generate Certificate 

Run each time a new domain or subdomain is added.  It needs to include all previous domains each time it is run.

# Add -d subdomain.domain -d *.domain etc.
# for each domain, subdomain, and wildcard used

certbot certonly --manual --preferred-challenges=dns --email [email protected] \
--server https://acme-v02.api.letsencrypt.org/directory --agree-tos \
-d pbx.somedomain.com \
-d *.pbx.somedomain.com \
-d pbx.someotherdomain.com \
-d mypbxdomain.com

It will ask you to verify you are the owner of the domain by giving you a TXT record for each domain registrar used.  You will need to create this TXT record on your domain provider end.

_acme-challenge.subdomain.somedomain.com with the following value:
4ixUKJm50KTtD6pOK99jvjW1n2lRJaTMJWx0rU7EUeY

In a PuTTY shell, press and hold the left mouse button, highlight the text, then release the button.  It will now be copied into your clipboard and available to paste into your domain registrar form.  If you try copy with CTRL-C it will cause the script to exit and you will have to start over.

Open a separate bash shell and check if the TXT record has propagated to the server before hitting ENTER .

apt install -y dnsutils
dig -t txt _acme-challenge.subdomain.somedomain.com

It may take some time for the record to propagate to your downstream (recursive) nameserver.

Add the successfully generated certificate to nginx.

nano /etc/nginx/sites-available/fusionpbx
server {
    listen 443;
    server_name fusionpbx;
    ssl                     on;
    # ssl_certificate         /etc/ssl/certs/nginx.crt;
    # ssl_certificate_key     /etc/ssl/private/nginx.key;
    ssl_certificate /etc/letsencrypt/live/subdomain.somedomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/subdomain.somedomain.com/privkey.pem;
    ssl_protocols           TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers             HIGH:!ADH:!MD5:!aNULL;
systemctl reload nginx

Automatic Renewal

crontab -e
# In this example, the command is run at 1:02 am on Sundays.
2 1 * * 0 /usr/bin/certbot renew

Certificates will not renew until after 60 days by default. 

Sections: