ViciBox supports SSL out of the box with a self-signed certificate. While functional, it is not recommended to use this certificate at all. It’s merely a place-holder for a real SSL certificate.
For clusters it’s recommended to use a wildcard SSL certificate. These are available from several Certificate Authorities including the free providers. Commercial SSL providers tend to be less problematic and require yearly renewals. The free SSL providers generally require that the certificate be renewed every 30 to 90 days through an automated process. It’s this automated process in conjunction with firewalls that tends to be an issue.
Before SSL can be setup the server needs a Fully Qualified Domain Name aka ‘FQDN’. For example, if ‘your.domain.com’ is the FQDN for the server then the ViciDial web interface should be accessible at ‘http://your.domain.com’ in a web browser. Until this is correctly working no SSL certificate ever will.
To help SSL certificates work across a cluster without requiring multiple webRTC templates there is a common file location that Apache and Asterisk is configured to use. By default the self-signed certificate is located there. To install your own certificates a symlink should be created from the actual SSL certificate to the common one.
Optional Certificate Authority Chain
If vicibox-ssl is used then no common configuration is needed. The common config is handled as part of it.
The SSL certificates can be symlinked to the common vicibox certificates to help simplify setup.cd /etc/apache2/ssl.crt mv vicibox.crt vicibox.crt.old ln -s /file/path/to/ssl.crt vicibox.crt cd /etc/apache2/ssl.key mv vicibox.key vicibox.key.old ln -s /file/path/to/ssl.key vicibox.key service apache2 restart asterisk -rx "core restart now"
Verify that SSL is working by going to https://your.domain.com in a web browser. If there are no SSL warnings then it’s installed correctly.
To help secure the web interface on the internet ViciBox comes with
vicibox-ssl. This script sets up free SSL certificates through the Let’s Encrypt certificate authority and the acme.sh client. There is also an included acme-renew.sh script designed to help renew SSL certs when the local firewall is running. This is all handled automatically during the setup.
Fully Qualified Domain Name (FQDN)
EMail Alert Address
If not already, login as the
rootuser to get to the # command prompt.
ENTERto start the setup process.
Type in the EMail address to use for the SSL certificate, I.E.
Type in the FQDN to use for the SSL certificate, I.E.
After reviewing the typed in information, press
ENTERto start the automated setup process. If the SSL setup fails for whatever reason an error message will be displayed.
After an SSL certificate is generated, press
ENTERto enable the new certificate in Apache and Asterisk
ENTERto setup the needed crontab entry for cert renewal
Once back at the # command prompt, verify that Asterisk has loaded the SSL certs by running
asterisk -rx "http show status". It should say HTTPS Server Enabled.
The last test is to go to https://your.domain.com and verify that the browser is secure.
- Run vicibox-ssl
- Setup new SSL cert
- Verify Asterisk loaded new cert
- Verify https in web browser