Automatic TLS Renewal for Genesis

Automatic Asterisk certificate renewal in a futuristic world (created by AI)
Created by DALL-E and ChatGPT4

Asterisk - and therefore Amtelco's Genesis - requires the use of a valid certificate for WebRTC clients. This enables our agents to take calls from more environments as the ecosystem continues the march towards the inevitable web-based future.

Right now, the current recommendation has been to purchase a TLS certificate (typically a 1-year duration), convert it to the necessary format (pem, complete with key and no passphrase), replace the existing certficiate on disk, and then restart the ISS service (Genesis/Asterisk control service from Amtelco) or more-often-than-not the whole server itself.

This requires a few minutes of downtime as the Genesis server reboots, which can be mitigated by paid-for features from Amtelco that rely on the open-source Kamailio proxy.

Asterisk is exposting a web-server for WebRTC purposes, so I wanted to figure out how we could automate certificate renewal using something like LetsEncrypt and the ACME protocol (i.e., certbot,win-acme, and other clients.)

The process would look something like this:

  • Install an ACME client (certbot) on our server
  • Request and save a certificate from LetsEncrypt
  • Restart Genesis (Asterisk) web module

As we dig deeper, it gets a little more interesting! We don't want to mess with opening TCP ports for HTTP-01 validation, so instead we can rely on the DNS-01 challenge from a supported DNS provider that hosts our subdomain.

After configuring our DNS provider with certbot, we can then use certbot certonly to save the certificate to our server - and no TCP ports were harmed in the process (heh).

We have a few more things to do before the certificate is live:

  • Backup the old certificate in case something goes wrong
  • Overwrite the existing certificate with our LetsEncrypt certificate/key
  • Restart Asterisk modules to pick up the new certificate

The first two items are fairly straightforward cp and mv commands - it's restarting Asterisk (Genesis) without rebooting the entire server that becomes the problem.

Luckily, we can reference the iss.properties file that includes the Asterisk AMI details including:

  • ami.socket.ipaddress
  • ami.socket.ipport
  • ami.socket.username
  • ami.socket.password

With this information, we can use the built-in Asterisk AMI commands to reload the Asterisk modules - without the need for a reboot.

In the environment testing we performed, users on live calls in Amtelco's Web Agent were not impacted - meaning it seems to be safe to run in an automated fashion (which will be roughly every 45 days as per LetsEncrypt operations.)

If you can confirm/deny this behavior in your particular environment, I'd love to hear from you!

Hopefully this gives you some ideas on automating your certificates with Amtelco Genesis WebRTC. For customers, we've made a complete guide that uses Cloudflare and certbot to update your certificate:

Call Theory
https://learn.calltheory.com/docs/amtelco/genesis/update-genesis-certificate/

The guide includes everything from installing prerequisites like certbot, configuring the DNS provider securely, a script that can be used as a deploy-hook to update the certificate when successful, and how to check that the certificate was applied.

Please also consider supporting the EFF and certbot.

Electronic Frontier Foundation
Defending your rights in the digital world