I have deployed Let’s Encrypt with Asterisk. Several key points:
- By default, Asterisk’s system user cannot access
/etc/letsencrypt/live
. I solved this by copying (and chowning) the needed files into/etc/asterisk/...
in my cron script that also takes care of refeshing the certs. This was actually the hardest part to figure out, because if Asterisk fails to open the cert/privkey file, it will report a generic certificate error and not a file access problem. - You should use
fullchain.pem
as thetlscertfile
, some clients may not trust Let’s Encrypt’s root cert yet. - Some clients may not support Subject Alternative Names in certificates. I strongly suggest that the server name your clients use is the Common Name, i.e. the first domain specified when using
certbot
.