Page tree

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


Let's Encrypt Certificates are completely 100% free TLS certificates that are generated via an automated process designed to eliminate the current complex process of manual creation, validation, signing, installation installation, and renewal of certificates for secure websites. Your PBX implements this same automated process.


This process requires port 80 access to your PBX from world. Ideally you would use System Admin, Port Management, to configure port 80 dedicated to Let's Encrypt renewal.


uses the Let's Encrypt HTTP-01 challenge type which uses http only on port 80. To successfully create/renew an LE cert, all of the following must be satisfied:

  1. The local pbx must be able to http get the challenge token from itself using the fqdn provided. If the PBX is behind a NAT router/firewall this may fail depending on your router configuration. It is for this reason that you see references to setting the PBX hostname to the LE fqdn to allow this challenge to succeed.
  2. Sangoma mirror servers must be able to http get the challenge token by resolving the configured fqdn. It is for this reason that previous firewall recommendations stated that the Sangoma mirror servers must be whitelisted.
  3. The Let's Encrypt server(s) must be able to get the challenge token by resolving the configured FQDN. This challenge can come from anywhere, so there is no value in whitelisting for this purpose, port 80 must be open to world for the challenge to succeed.

Current versions of the PBX firewall and Certificate Management module manage the local firewall rules dynamically during cert creation/renewal.

It's not required, but if you have the Commercial (Full) Sysadmin module, you can specify that a 'LetsEncrypt Only' service listens on port 80. See the Port Management page for more information.

Let's Encrypt certificate creation and validation requires unrestricted inbound http access on port 80 to the Let's Encrypt token directories. If security is managed by the PBX Firewall module, this process

should be automatic. Alternate security methods and external firewalls will require manual configuration.

You can manually enable the custom firewall rule for allowing global access to Lets encrypt token directories by enabling LetsEncrypt Rules under Firewall Advanced settings tab through the GUI or by

running "fwconsole firewall lerules enable" from the CLI and the same can be disabled by disabling LetsEncrypt Rules from GUI or by running "fwconsole firewall lerules disable" from the CLI.

There are several required options to generate a Let's Encrypt Certificate