3CX tech support answers: how to replace or renew an SSL certificate on a server

In this article, we will answer a fairly common question of our users: how to replace or renew (renew) the SSL certificate for the NGINX web server used in the 3CX system.

First of all, we will consider why it may be necessary to obtain, replace, or renew a certificate:

  • You use your own domain name for 3CX (of the form pbx.mybusiness.com). 3CX version 15 and above require the presence of a trusted (signed) SSL certificate.
  • You decided to switch from the FQDN issued by 3CX (of the form mybusiness.3cx.eu) to your own domain name.
  • You are upgrading from previous versions of 3CX and must use a trusted certificate (only trusted certificates are allowed in 3CX 15 and above).
  • You have decided to unsubscribe from 3CX (Maintenance) updates. We do not recommend to refuse updates since this can affect the quality of your business (and savings can result in much greater losses). However, in this case you need to transfer 3CX to your own domain name, as without subscription to updates, support for FQDN and SSL certificate from 3CX ceases.

In the article we will not consider the situation of replacing FQDN - it is described earlier here and provides for the reinstallation of 3CX. We will consider the procedure for obtaining a certificate and installing it on an already running server. That is, it is assumed that the FQDN of the server does not change, and all that needs to be done is to renew the certificate.

Obtaining Let's Encrypt Certificate


There are many ways to obtain a Let's Encrypt trusted certificate , including automatically . However, we will only consider manual receipt through the https://zerossl.com service . Of course, you can purchase a paid certificate from a selected provider, but Let's Encrypt certificates are free and are used by many manufacturers of software and equipment, including 3CX (they are generated and issued automatically when you have an active subscription for updates).

Go to https://zerossl.com and go to Online Tools - Zero SSL Certificate Wizard.

 
Specify the FQDN of the server for which the certificate will be generated, select DNS verification , accept the terms of service and clickThe Next . Optionally, you can specify your e-mail. A certificate request will be generated. Then click Next again and a secret key will be generated. Download the CSR and Account Key files (they will come in handy in the future).

Next, you need to go through DNS verification, i.e. Confirm that the selected FQDN server belongs to you. To do this, on your DNS server (often done by the hosting provider) add the specified TXT record and wait a while for the DNS cache to update.



Your certificate is ready. Download it and the secret key to your computer and rename them as follows:

  • domain-key.txt> pbx.mybusiness.com-key.pem
  • domain-crt.txt> pbx.mybusiness.com-crt.pem, where pbx.mybusiness.com is the FQDN of the 3CX server specified in the certificate generation wizard.



Having the certificate files, let's proceed with their installation.

Install a certificate on a 3CX server  


If you are installing a new system, then at the appropriate stage of the Initial Configuration Wizard, simply specify the certificate and key.



If the server is already installed and working, go to it and go to the folder:

  • Windows: C: \ Program Files \ 3CX Phone System \ Bin \ nginx \ conf \ instance1

    Linux: / var / lib / 3cxpbx / Bin / nginx / conf / Instance1

You should see 3 files, as shown in the screenshot below.



Attention: if you see 5 files, then FQDN and a certificate from 3CX are used. In this case, nothing needs to be changed!

Overwrite existing files with your files. After that, restart the NGINX service. On Windows, it is called 3CXPhoneSystem Nginx Server.
Now, by going to the 3CX interface, you can see the parameters of the new certificate.



As you can see, the certificate is valid for 3 months. Keep this in mind so as not to forget to extend it on time!

Also popular now: