UCP phone not working in chrome (must use WSS)

Hello, chrome doesn’t allow insecure websockets anymore, it asks for wss:// now:

Mixed Content: The page at ‘https://x.x.x.x/ucp/?display=dashboard’ was loaded over HTTPS, but attempted to connect to the insecure WebSocket endpoint ‘ws://x.x.x.x:8088/ws’. This request has been blocked; this endpoint must be available over WSS.

According to this topic in March 2015, WSS was not supported in UCP. Any news on that? Or is it already supported and i’m making some config mistake? DTLS-SRTP is already configured. My FreePBX version is 12.0.76.2

Thanks in advance for any enlightenment on this.

It is not supported at this time.

1 Like

That does pretty much mean that it is useless, right?
Chrome does not allow it to work in http, but FreePBX won’t work in https, so that’s something of a problem for being able to use it.

Safari does not do WebRTC, as best as I can tell, I won’t entertain the idea of seeing if IE supports it, I guess firefox is an option?

Yup, exactly. I’m searching for a ws <-> wss proxy.

It is just not supported in freepbx 12?
http://issues.freepbx.org/browse/FREEPBX-8859
this issue seems to indicate that it is supported in freepbx 13, however, when I tested it out in freepbx 13 today, I got the following error.
Mixed Content: The page at 'https://pbx.example.com/ucp/?display=dashboard' was loaded over HTTPS, but attempted to connect to the insecure WebSocket endpoint 'ws://pbx.example.com:8088/ws'. This request has been blocked; this endpoint must be available over WSS.

It’s not supported in FreePBX 12.

In FreePBX 13 you MUST have a certificate and connected over HTTPS.

The certificates do not seem properly setup.

Would a rewrite rule in the webserver help? If the on;y problem is the ws:// versus the wss://, then I would think that you could do this in the webserver for your specific application and make your life simpler.

Of course, I could be completely off-track, but we’ve been doing the same thing with http:// and https:// for years.

No you can not do that. ws and wss are not served through Apache. Furthermore you can’t try to trick Chrome into loading WebRTC over a non-secure connection.

Thanks. I am using freepbx 13, I followed the instructions from here http://wiki.freepbx.org/display/FPG/WebRTC+Phone-UCP
I have the certificate installed. It is configured for UCP and is also configured in the users ucp -> webRTC settings
I am loading the UCP page over https
Is there some other step that I am missing to ensure that the web socket connection is made over wss?

If I allow mixed content the webRTC phone works flawlessly, but I would prefer not to train users to override security warnings.

That article is very old and not correct.

Asterisk does not have a certificate set in advanced settings.

Thanks. I configured the asterisk advanced settings as follows
Enable TLS for the mini-HTTP Server = Yes
HTTPS TLS Certificate Location = /etc/httpd/pki/tls.crt
HTTPS TLS Private Key Location = /etc/httpd/pki/tls.key
logged in and the webRTC phone did not seem to register
taking a look at the web console I get the following error
WebSocket connection to 'wss://pbx.example.com:8089/ws' failed: Error in connection establishment: net::ERR_CONNECTION_REFUSED

logging in to the freepbx server I ran

netstat -an | grep 808
which yields the following
tcp 0 0 :::8088 :::* LISTEN

notice 8089 is not present, which leads me to believe that the asterisk http miniserver with TLS is not running.

is there a log I can look at to see why that particular service is not starting?

I’m fairly certain the Asterisk user is unable to read those files. You should really be using certificate manager for all of this instead of doing it manually.

Perhaps I misunderstood your previous post. I don’t see any method through the UI for selecting the certificate that was uploaded through certificate manager. I am able to select the certificate via a drop down in other places, just not here.

Click on the tick in Certificate Manager that sets it as default - that propagates it everywhere

1 Like

Thanks. That resolved the issue.
In case there are others like me that did not realize that the white-space under default is what you need to click to enable this setting, here is a screenshot of what it looks like after you have clicked on the hidden input.

2 Likes

hello i ve the same problem ‘‘Phone Status: Only supported over HTTPS’’ i ve try to solve it with the Certificate. but it sames imposible. can somebody helps me?

It’s been a while i used an old asterisk version. If i were you, i would update my asterisk and FreePBX. Because the ucp phone for sure was changed meanwhile.