SSL/HTTPS with FOP2 (ACME Certificate)

Note: AstLinux 1.3.0 or later is required

If you access FOP2 via an HTTPS connection, FOP2 can be configured to use SSL, internally secure websockets wss:, as such most modern browsers expect valid certificates for secure websocket connections. While it is possible to create a self-signed certificate and deploy it to all your FOP2 client devices (see next section), a far more convenient approach is to generate globally valid ACME (Let's Encrypt) Certificates that the FOP2 client devices can validate by following the global certificate chain.

At minimum, The “HTTPS Server” ACME Deploy Service must be checked, ACME certificate issued and deployed using ACME (Let's Encrypt) Certificates. The /mnt/kd/ssl/https_stunnel_server.pem PEM file should now exist.

Edit the /etc/fop2/fop2.cfg file and uncomment (enable) and edit the following lines:

ssl_certificate_file=/mnt/kd/ssl/https_stunnel_server.pem
ssl_certificate_key_file=/mnt/kd/ssl/https_stunnel_server.pem

Then you must “Restart Asterisk FOP2” (not just Reload) in order for SSL to be enabled.

By using an ACME Certificate, in theory, any modern HTTPS web browser or device should be able to securely use FOP2.

SSL/HTTPS with FOP2 (Self-Signed Certificate)

Note: AstLinux 1.1.3 or later is required

In the web interface, enter your personal certificate settings in “Prefs Tab → Distinguished Name”, then check “Create New HTTPS Certificate” in the “Network Tab → HTTPS Certificate File”, “Save Settings”, and Reboot.

Tip → Skip the above if you have done this previously.

Edit the /etc/fop2/fop2.cfg file and uncomment (enable) the following lines:

ssl_certificate_file=/mnt/kd/ssl/webinterface.pem
ssl_certificate_key_file=/mnt/kd/ssl/webinterface.pem

Then you must “Restart Asterisk FOP2” (not just Reload) in order for SSL to be enabled.

Tip → For any browser: You need to accept an URL exception for the certificate because it's self-signed (for the hostname or the IP).

Tip → For Firefox (v22+): You need to add a separate URL exception for “https://hostname:4445/fop2/” and then again
connect to “https://hostname/fop2/” (do the same for the IP if no hostname).

Mac OS X

  • Safari 5, 6 + 9 (10.5-10.12) work fine with HTTPS
  • Firefox 22+ (10.6-10.12) works fine with the above workaround
  • Firefox 3.6 (10.5) works fine with HTTPS
  • Chrome works fine with HTTPS

Windows

  • Firefox 22+ (XP SP3, Win7 x86, Win10) works fine with the above workaround
  • Chrome works fine with HTTPS
  • IE8 (XP SP3) + IE10 (Win7 x86) works fine with HTTPS
    • it needs Flash to be installed
    • you need to install the certificate (it's normally signed on the hostname)
    • for the IP address I needed to add the https URL as an exception to the Security/Intranet options

iOS

Using the AstLinux CLI, Email the web interface CA to your iOS device:

openssl x509 -in /mnt/kd/ssl/webinterface.pem > webinterface.crt
echo "To: me@mydomain.com
From: me@mydomain.com
Subject: AstLinux Web Interface CA" \
| mime-pack "AstLinux Web Interface CA" webinterface.crt "application/x-x509-ca-cert" \
| sendmail -t

Next, check your email on your iOS device

iOS email

and tap the certificate icon. Follow the prompts and install the certificate into your profile.

Note → Be certain you don't email the /mnt/kd/ssl/webinterface.pem file, as that file contains a private key that must be kept secure.


Alternatively AstLinux 1.2.8 or later is required, the webinterface.crt file from above can be emailed as an attachment using the mail command:

mail -r me@mydomain.com -s "AstLinux Web Interface CA" -a webinterface.crt me@mydomain.com </dev/null

or using an interactive terminal session …

mail -r me@mydomain.com -a webinterface.crt me@mydomain.com
Subject: AstLinux Web Interface CA
Here is the certificate you created
for iOS.

finish by entering: Return Ctrl+D