1. Download the file named - le64.zip from below link.
https://github.com/do-know/Crypt-LE/releases
2. Create folder in C:\ and unzip the file there. Example C:\bat
3. Now create a bat file as below script and save it in the C:\bat folder
c:\bat\le64.exe --legacy --email address@domain.com.mv --key account.pbx.domain.com.mv.key --csr pbx.domain.com.mvcsr --csr-key pbx.domain.com.mv-key.pem --crt pbx.domain.com.mv-crt.pem --domains "pbx.domain.com.mv" --path C:\ProgramData\3CX\Instance1\Data\Http\webroot\.well-known\acme-challenge --generate-missing --unlink --live
copy /Y pbx.domain.com.mv-key.pem "%programfiles%\3CX Phone System\Bin\nginx\conf\instance1"
copy /Y pbx.domain.com.mv-crt.pem "%programfiles%\3CX Phone System\Bin\nginx\conf\instance1"
· Email address should be a valid one
· Wherever pbx.domain.com.mv is mentioned you can replace with your domain name (FQDN)
· You may have to create folders .well-known\acme-challenge, to create folder with dot you will have to open cmd and type mkdir .well-known
4. Navigate to the folder path C:\Program Files\3CX Phone System\Bin\nginx\conf and edit file nginx.conf as below (make sure you take a backup of this file before editing)
5. Navigate to the folder path C:\Program Files\3CX Phone System\Bin\nginx\conf\instance1 and rename the files within the folder as
6. Now make sure you Firewall port 80 (http) is allowed (port forwarding or NAT) to the server. The nginx server http port is 5000 thus you can add a PAT. Outside access port as 80 and inside port as 5000.
7. Now run the script file from C:\bat (script file created at step 3)
8. If everything goes right without error, you will fine below response from the script file.
C:\bat>BAT.BAT
C:\bat>c:\bat\le64.exe --legacy --email email@domain.com.mv --key account.pbx.taviyani.com.mv.key --csr pbx.domain.com.mvcsr --csr-key pbx.domain.com.mv-key.pem --crt pbx.domain.com.mv-crt.pem --domains "pbx.domain.com.mv" --path C:\ProgramData\3CX\Instance1\Data\Http\webroot\.well-known\acme-challenge --generate-missing --unlink --live
2020/08/05 12:59:10 [ ZeroSSL Crypt::LE client v0.35 started. ]
2020/08/05 12:59:10 Loading an account key from account.pbx.domain.com.mv.key
2020/08/05 12:59:10 Loading a CSR from pbx.domain.com.mvcsr
2020/08/05 12:59:13 Registering the account key
2020/08/05 12:59:14 The key is already registered. ID: 89317188747
2020/08/05 12:59:14 Current contact details: email@domain.com.mv
2020/08/05 12:59:15 Successfully saved a challenge file 'C:\ProgramData\3CX\Instance1\Data\Http\webroot\.well-known\acme-challenge/egL13sDn4wIGA5nmBUrWRT1LAgIg8S6JqIaG4b-k89hERqU' for domain 'pbx.domain.com.mv'
2020/08/05 12:59:18 Domain verification results for 'pbx.domain.com.mv': success.
2020/08/05 12:59:18 Challenge file 'C:\ProgramData\3CX\Instance1\Data\Http\webroot\.well-known\acme-challenge/egL13sDn4wIA5nmBUrWRLAgIg8SJqIaG4b-k89hERqU' has been deleted.
2020/08/05 12:59:18 Requesting domain certificate.
2020/08/05 12:59:19 Requesting issuer's certificate.
2020/08/05 12:59:19 Saving the domain certificate to pbx.domain.com.mv-crt.pem.
2020/08/05 12:59:19 Saving the issuer's certificate to pbx.domain.com.mv-crt.ca.
2020/08/05 12:59:19 The job is done, enjoy your certificate!
C:\bat>copy /Y pbx.domain.com.mv-key.pem "C:\Program Files\3CX Phone System\Bin\nginx\conf\instance1"
1 file(s) copied.
C:\bat>copy /Y pbx.domain.com.mv-crt.pem "C:\Program Files\3CX Phone System\Bin\nginx\conf\instance1"
1 file(s) copied.
C:\bat>
Now create a schedule task to run every 90days
Many thanks for this, really useful and something I've wanted to sort for a long time but not had a chance.
ReplyDeleteOnly clarification I would make for future me stumbling across this is ensure port 80 on 3CX external IP is forwarded to port 5000 on 3CX server IP.
Yes it is required however if your server http is set to 80 than NAT tcp/80 to inbound traffic to server. If your server http service is running on tcp/5000 than a PAT is required from 5000 to 80
DeleteHuge thanks for publishing this. I'm getting a 403 error at the domain verification step:
ReplyDeleteerror. Invalid response from http://my.domain.com/.well-known/acme-challenge
Seems like a permissions thing..?
The mind boggles as to why they make this stuff so difficult.
if your using version 18 than please change http value on the ngnix.conf file to if ($scheme = 'http'){
Deleteset $block_remote "0";
thx
ReplyDelete