====== SSL/HTTPS with FOP2 (ACME Certificate) ====== !!Note: AstLinux 1.3.0 or later is required!! If you access FOP2 via an HTTPS connection, FOP2 can be configured to use SSL, internally secure websockets ''wss:'', as such most modern browsers expect valid certificates for secure websocket connections. While it is possible to create a self-signed certificate and deploy it to all your FOP2 client devices (see next section), a far more convenient approach is to generate globally valid **[[userdoc:tt_acme_certificates|ACME (Let's Encrypt) Certificates]]** that the FOP2 client devices can validate by following the global certificate chain. At minimum, The “HTTPS Server” ACME Deploy Service must be checked, ACME certificate issued and deployed using **[[userdoc:tt_acme_certificates|ACME (Let's Encrypt) Certificates]]**. The ''/mnt/kd/ssl/https_stunnel_server.pem'' PEM file should now exist. Edit the ''/etc/fop2/fop2.cfg'' file and uncomment (enable) and edit the following lines: ssl_certificate_file=/mnt/kd/ssl/https_stunnel_server.pem ssl_certificate_key_file=/mnt/kd/ssl/https_stunnel_server.pem Then you must "Restart Asterisk FOP2" (not just Reload) in order for SSL to be enabled. By using an ACME Certificate, in theory, any modern HTTPS web browser or device should be able to securely use FOP2. ====== SSL/HTTPS with FOP2 (Self-Signed Certificate) ====== !!Note: AstLinux 1.1.3 or later is required!! In the web interface, enter your personal certificate settings in "Prefs Tab -> Distinguished Name", then check "Create New HTTPS Certificate" in the "Network Tab -> HTTPS Certificate File", "Save Settings", and Reboot. !!Tip ->!! Skip the above if you have done this previously. Edit the ''/etc/fop2/fop2.cfg'' file and uncomment (enable) the following lines: ssl_certificate_file=/mnt/kd/ssl/webinterface.pem ssl_certificate_key_file=/mnt/kd/ssl/webinterface.pem Then you must "Restart Asterisk FOP2" (not just Reload) in order for SSL to be enabled. !!Tip ->!! For any browser: You need to accept an URL exception for the certificate because it's self-signed (for the hostname or the IP). !!Tip ->!! For Firefox 22+: You need to add a separate URL exception for "https://hostname:4445/fop2/" and then again\\ connect to "https://hostname/fop2/" (do the same for the IP if no hostname). !!Tip ->!! For Firefox 74 you might need to [[https://hacks.mozilla.org/2020/02/its-the-boot-for-tls-1-0-and-tls-1-1/|re-enable TLS 1.0 +1.1]] as a workaround. Since version **2.31.28** (mid 2020) FOP2 does finally support **TLS 1.2** (within AstLinux 1.3.10 or later)! ===== Mac OS X ===== * Safari 5-13 (10.5-10.13) work fine with HTTPS * Firefox 22+ (10.6-10.13) works fine with the above workaround(s) * Firefox 3.6 (10.5) works fine with HTTPS * Chrome works fine with HTTPS ===== Windows ===== * Firefox 22+ (XP SP3, Win7 x86, Win10) works fine with the above workaround(s) * Chrome works fine with HTTPS * IE8 (XP SP3) + IE10 (Win7 x86) works fine with HTTPS * it needs Flash to be installed * you need to install the certificate (it's normally signed on the hostname) * for the IP address I needed to add the https URL as an exception to the Security/Intranet options ===== iOS ===== Using the AstLinux CLI, Email the web interface CA to your iOS device: openssl x509 -in /mnt/kd/ssl/webinterface.pem > webinterface.crt echo "To: me@mydomain.com From: me@mydomain.com Subject: AstLinux Web Interface CA" \ | mime-pack "AstLinux Web Interface CA" webinterface.crt "application/x-x509-ca-cert" \ | sendmail -t Next, check your email on your iOS device {{:userdoc:fop2-web-interface-ca.png?nolink|iOS email}} and tap the certificate icon. Follow the prompts and install the certificate into your profile. !!Note ->!! Be certain you don't email the ''/mnt/kd/ssl/webinterface.pem'' file, as that file contains a private key that must be kept secure. \\ Alternatively !!AstLinux 1.2.8 or later is required!!, the ''webinterface.crt'' file from above can be emailed as an attachment using the ''mail'' command: mail -r me@mydomain.com -s "AstLinux Web Interface CA" -a webinterface.crt me@mydomain.com