Version 15.0.3 now includes Automatic SSL Encryption with Certificate signing powered by ACME Lets Encrypt. This means you don’t need to pay or manage your security certificate. LetsEncrypt will automatically generate a certificate request, validate the domain name you want to protect belongs to you (through various methods) and generate the certificate assigning it to the webservice.
Some background information
HTTPS is a version of the Hyper Text Transfer Protocol for transferring data via port 80 through web applications, however it is encrypted (S = Secure) with a private and public key that only the web server host is able to decrypt. HTTPS requires an SSL Certificate that contains the public key used for encryption, these certificates are used to confirm the site identity is what the client expects it to be as well as for encrypting the traffic with the public key in the certificate (allowing only the server that has the private key to decrypt the traffic).
Certificates are given out by what are called Certificate Authorities, there are a list of “Trusted Certificate Authorities”. These Authorities will verify the website server is who they say they are (A certificate encrypting Google.com name actually belongs to the owner of Google.com domain) so that way these certificates can be used to verify the site identity in addition to encrypting the traffic. Browsers and modern clients in general have a list of Trusted CAs that will trust any certificate issued as long as there’s a chain back to the Root CA
Back to here and now
ACME/LetsEncrypt is a unique service, becoming a Root CA and offering a Free SSL Certificate to anyone, for 90 Days (instead of the normal 1/2/3 years) and allowing for auto-validation through various methods. The easiest way to validate a LE certificate is by running a utility from the web server, the utility creates a randomly generated signature file and places it into a well known directory available from the public web. The utility then reaches out to LE APIs and verifies the server is able to reach that file and the randomly generated signature matches. If it does, the utility is given a signed certificate for the domain name specified that was successfully used to retrieve the randomly generated file and applied to the web server bindings. There are other ways of using Lets Encrypt however for our purposes with using LE in Zultys we don’t care about them.
Port 80 on MX Systems
LetsEncrypt on the Zultys system uses Port 80/HTTP to retrieve the well known randomly generated file that validates the domain name specified. This is why Zultys requires port 80 forwarded to the MX for the LetsEncrypt feature to function. Port 443 is not required however is used for all secure HTTPS communication and therefore is assumed you’d want to be forwarded.
Zultys documents state that another port (8303) is required to be forwarded, however the systems don’t appear to listen on it. Additional digging done by @clucyshyn was done where he found the following.
%(#e81010)[in regards to the Let’s Encrypt certs; I’m pretty sure the 8303 is not supposed to be a port. I checked the docs at Let’s Encrypt on the weekend and I saw 8303 but i think that was an example of a nonce or something, and i bet someone from Zultys thought it was a port and added it. theres no way that Let’s Encrypt uses that as a port for verification cause its never forwarded. They use port 80 mainly for the cert verification, or they can use TLS (HTTPS) just depending on which way the client requests. Quite certain Zultys and most PBX vendors use port 80 at the moment.] (Quoted from Slack)
Configuring LetsEncrypt
- Step 1, login to MXAdmin after you confirmed the required ports are forwarded (80,443)
- Go to Maintenance > Security Certificate Management
- In the first tab called Certificate select Automatic Certificate Management
- Fill out the fields for a valid email to receive notices of a failed renewal, and the domains you want to generate a certificate for. Note all domains MUST resolve back to the phone system web interface so that LE can validate each domain to add to the certificate
- Select Apply to enable.