Redirect http to https after installing Let's Encrypt Certificate?

We just setup Let’s Encrypt and it’s working fine except our users are going to http and gettting “forbidden”. Is there a way to redirect it to https automatically? Also, can we have a second Let’s Encrypt Certificate? For example, we have a DNS entry for the UCP called and the Default Let’s Encrypt is or do we have to have one?

You need to redirect with a 301 any connections to http to https.

You can have as many certs as you want that can verify any url and any service you have control over, how you implement that is a function of whatever service answers connections to those https (and indirectly your http ) connections, mostly your simple web server will handle a ‘singleton’ but some prefer an authoritative ‘reverse proxy’ at your point of ingress for more security and more granularity

Use the force options available in Port Mgmt. You can only have a single certificate installed.

Perhaps more correct to say " the ‘distro’s sysadmin and certificates modules’ only support one installed certificate"

Setting it to force doesn’t redirect it. I get:


You don’t have permission to access /.noindex.html on this server.

Since the distro only supports 1, can I have it have other entries? It’s the same domain domain name. Could I have and on the same cert?

I can’t answer that as I don’t use it but wildcard certs ARE available from letsencrypt, but I find that TLS transport doesn’t always like them and I don’t believe the FreePBX acme client is capable of handling them properly.

There is nothing wrong with using separate domains for provisioning, your mail server, management and your customer facing interface, id est UCP. They can all redirect to the same IP but just don’t let any ip connections to http leak your protected https services

IWFM :slight_smile:

adding to the alternative names fixed the other domain to now have the cert as well. Now if I can only get the redirect to work lol

There is no restriction on the number of certs on a system, but sysadmin will only allow you to configure one cert for Apache. Redirect is pretty simple, choose the https address and toggle the arrow button:

Test at bash with

# curl http://localhost
<title>302 Found</title>
<p>The document has moved <a href="https://freepbx.<redacted>.com:443/">here</a>.</p>

Okay that’s all working now execpt I need to direct to automatically direct to Is that done in the ssl.conf or the freepbx.conf file? I was able to redirect the admin page by doing the following in the freepbx.conf file

<VirtualHost *:80>
 RewriteEngine on
 RewriteCond %{HTTPS} !=on [NC]
 RewriteRule ^/admin(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

I installed another cert but it says it’s “unsecure”

You can’t do that directly in sysadmin, but you can do it by creating the file /var/www/html/index_custom.php with the following:

$basename = pathinfo($_SERVER['PHP_SELF'],PATHINFO_DIRNAME);
$uri = (!empty($basename) && $basename != '/') ? $basename . '/ucp' : '/ucp';
header('Location: '.$uri);

Whenever anyone browses to root, it will redirect to /ucp. From that point on, the admins will have to manually browse to /admin to get to the admin gui.

Okay that works, what about redirecting http to https? That seems to break that now and I get “not secure”. So close! lol

Not sure what to tell you, redirect works exactly as expected for me in sysadmin.

Doesn’t work for me. I’m getting:


You don’t have permission to access /.noindex.html on this server.

Can you provide the output of fwconsole sa ports?

| Port     | Name        | Force https |
| 82       | restapps    | Disabled    |
| 83       | restapi     | Disabled    |
| 81       | ucp         | Enabled     |
| 8888     | acp         | Enabled     |
| 84       | hpro        | Disabled    |
| 80       | leport      |             |
| disabled | sslrestapps |             |
| disabled | sslrestapi  |             |
| 4443     | sslucp      |             |
| 443      | sslacp      |             |
| disabled | sslhpro     |             |
| disabled | sslsngphone |             |

You have port 80 dedicated to LE cert renewal, browsing to it will get you nothing. What are you trying to accomplish here? I suspect you want 80 and 443 set for UCP with redirect enabled.

Doesn’t LetsEncrypt need to be port 80 so it can auto renew? UCP is on 81. I just want when you got to it should redirect to . What needs changed?

Do you mean

I just want when you got to []( it should redirect to []( 


80 should only be redirected to the letsencypt thingy if so called for other connects should get a correct 301