I went to setup a LetsEncrypt SSL cert within FreePBX in order to use Zulu app as it required a valid SSL cert as you know. I setup a subdomain for the freepbx box with my company domain… so…voip.XXXXX.com and have that pointed to my static WAN IP. I then put the FQDN into freePBX.
LetsEncrypt would not generate the cert even with “Responsive LetsEncypt Rules” set to Enable in Firewall>Advanced Settings. I temporarily forwarded ports 80 and 443 in my hardware Security Gateway/Router to my freePBX LAN Static IP and it was able to generate a valid cert no problem. I then immediately turned off port forwarding for 80 and 443…
Zulu is now running great on both my Windows 10 pc (on the same local lan as the freePBX server), and on my Galaxy S20 Ultra 5G. I am able to send and receive calls within Zulu and 2way audio is working. Currently the only ports I have forwarded to my freePBX server is 10000-20000 and my Chan_PJSIP port…which I changed, I dont use the default port. I have no other ports forwarded.
My concern is when the LetsEncrypt goes to renew the cert it wont be able to because I had to open those ports to get it to generate the cert…
Also, I can only get to my freePBX admin page from outside my LAN with my FQDN if I forward port 443 to my freePBX server. Loads right up. If I close port 443 and try to access my freePBX admin page using my FQDN from the outside I get this page
My question is…is this the correct config? I only ask because I see on the freePBX/PBXact suggested ports wiki list that 80 and 443 should not be opened up…which I agree with… But how will LetsEncrypt renew its cert? Or will I always have to manually open those ports to renew?
I also see it says not to open your Chan-PJSIP port opened either… I have had that open since I initially setup freePBX 6 months or so ago… It was getting attacked (call attempts in the call log not from me) which all stopped when I changed the Chan_PJSIP port to something different than default.