By default, the FreePBX administration page operates on the unencrypted port 80 (HTTP). This means that all data, including usernames and passwords, is transmitted in plain text, making it easy to intercept, even by amateur hackers. While this may not be a significant issue if you only intend to manage your telephone exchange within a local LAN (provided no unauthorised individuals have access to your network), it is essential to encrypt the transmitted data if you plan to access the FreePBX dashboard from the internet. This can be achieved using a free Let’s Encrypt SSL certificate and the encrypted HTTPS protocol.
Furthermore, certain services will not function without a valid SSL certificate installed, such as WebRTC, Sangoma Zulu, Sangoma Connect, or Clearly Anywhere.
Initial Configuration
To begin, navigate to Admin -> System Admin, and then select Port Management from the right-hand menu.
As you can see in the illustration below, the Let’s Encrypt option is disabled. If you attempt to enable it by switching communication to port 80, you will encounter an error because port 80 is already in use by the Admin service. To resolve this, change the Admin service port to a different one, for example, 8080, and then try enabling Let’s Encrypt again. Click Update Now to apply the changes.
Connectivity -> Firewall -> Services
Go to Connectivity -> Firewall, and from the right-hand dropdown menu, select Services. In this window, you will notice that the Let’s Encrypt service is managed by “Responsive LetsEncrypt Rules”. While you could theoretically disable this and manage the service manually, the recommended approach is to allow “Responsive LetsEncrypt Rules” to continue managing it.
Admin -> Certificate Management
Navigate to Admin -> Certificate Management to manage your certificates. The illustration shows that a self-signed certificate is currently installed. To install a new Let’s Encrypt certificate, click New Certificate, and then select Generate Let’s Encrypt Certificate.
In the new window that opens, fill in the following fields:
- Certificate Host Name: If you have purchased your own domain, enter it here.
- Owner’s Email: Enter your email address.
- Country: Your country.
- State/Province/Region: Your county or region.
- Alternative Names: Alternative Fully Qualified Domain Names (FQDNs) that must be correctly configured on your DNS servers. If you are unsure what to enter here, leave this field blank.
- Challenge Over: The port on which Let’s Encrypt will automatically renew the certificate.
- Remove DST Root CA X3: This removes the X3 certificate from the chain, which can cause issues on older browsers.
Finally, click Generate Certificate to create the certificate.
Once you receive confirmation that the certificate has been created, you must set it as the default for your exchange. To do this, click the green tick in the Default column.
To complete the installation, go to Admin -> System Admin, select HTTPS Setup from the right-hand menu, and go to the Settings tab. In the Certificate Settings window, select your newly created certificate and click Install. After installing the SSL certificate, you must restart the Apache server by clicking Save and Restart Apache.
After refreshing the page, you should see a notification in the address bar indicating that your certificate is valid and the connection to your site is encrypted.
Summary
Prioritising the security of your servers is paramount. With Let’s Encrypt, you can secure your FreePBX Asterisk telephone exchange with a secure SSL/TLS protocol, free of charge.
Leave a Reply