Skip to main content
  • Products
    • Overview
    • Features
    • Screen Capture
    • Quality Management
    • Speech Analytics
    • Recording Announcement
    • Videos
    • Online demo
    • Quote
    • Download
  • Solutions
    • Businesses
    • Contact centers
    • Financial institutions
    • Healthcare
    • MiFID II compliance
    • Telecom service providers
    • Traders
  • Compatibility
    • AudioCodes
    • Avaya
    • BroadSoft
    • Cisco
    • Genband
    • IPC
    • Metaswitch
    • Oracle AcmePacket
    • SIPREC recording
    • Sonus
  • Documentation
    • User Guide
    • Administration Guide
    • Developer Guide
    • MiaRec v.3 (old) documentation
    • Resource library
    • Videos
  • Support
    • Submit a request
    • Check your existing requests
    • TeamViewer QuickSupport
  • Blog
  • Company
    • About MiaRec
    • Contact us
    • Our clients
    • Become a partner
    • News
    • Careers
    • Events
Home › Administration Guide › Post-installation tasks › Enable HTTPS for MiaRec Web portal ›
 

Setup free SSL certificate for MiaRec using Let's Encrypt (Ubuntu 14.04)

This tutorial describes how to setup a free TLS/SSL certificate from Let's Encrypt on MiaRec server based on Ubuntu 14.04 server running Apache as a web server.

SSL certificates are used within web servers to encrypt the traffic between the server and client, providing extra security for users accessing your application. Let’s Encrypt provides an easy way to obtain and install trusted certificates for free.

What is Let's Encrypt? Let’s Encrypt is a free, automated, and open certificate authority managed by the non-profit Internet Security Research Group (ISRG). Major sponsors are the Electronic Frontier Foundation (EFF), the Mozilla Foundation, OVH, Akamai, Google and Cisco Systems. See this page for more on ISRG sponsors.

Step 1 - Install Certbot on Ubuntu 14.04

What is Certbot? Certbot is an easy-to-use automatic client that fetches and deploys SSL/TLS certificates for webserver. Certbot was developed by EFF and others as a client for Let’s Encrypt. This client runs on Unix-based operating systems.

To install Certbot, you must first enable the PPA repository maintained by the Certbot team:

sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository ppa:certbot/certbot

Afterwards, update the package list to pick up the new repository's package information:

sudo apt-get update

And finally, install Certbot from the new repository with apt-get:

sudo apt-get install python-certbot-apache

Step 2 - Configure Apache to serve .well-known/acme-challenge directory

The Apache web server should be configured properly to allow serving of the files inside the /.well-known/acme-challenge directory. In this tutorial, we will use directory /var/www/html/.well-known as a location for the Certbot's temporary files.

What is a purpose of .well-known directory?

To obtain SSL certificate, the Certbot client creates a temporary file in ${webroot-path}/.well-known/acme-challenge directory. Then the Let’s Encrypt validation server makes HTTP requests to validate that the DNS for each requested domain resolves to the server running certbot. An example request made to your web server would look like:

66.133.109.36 - - [05/Jan/2016:20:11:24 -0500] "GET /.well-known/acme-challenge/HGr8U1IeTW4kY_Z6UIyaakzOkyQgPr_7ArlLgtZE8SX HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"

Create file /etc/apache2/sites-available/letsencrypt-well-known.conf:

vim /etc/apache2/sites-available/letsencrypt-well-known.conf

Copy-paste the following content to that file:

For Apache 2.4:

<IfModule mod_proxy.c>
  ProxyPass /.well-known !
</IfModule>

Alias /.well-known/ "/var/www/html/.well-known/"

<Directory "/var/www/html/.well-known">
  Options None
  AllowOverride None
  Require all granted
</Directory>

<Location /.well-known/acme-challenge>
  Options None
  Require all granted
</Location>

Enable this configuration file:

sudo a2ensite letsencrypt-well-known.conf

Reload Apache:

sudo service apache2 reload

Step 4 - Obtain SSL certificates from Let's Encrypt server

Run the following command to obtain the certificate:

sudo certbot certonly --webroot -w /var/www/html/ -d miarec.example.com

Important! Replace miarec.example.com with your MiaRec server DNS name.

If everything goes well, then you should see the following message:

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/miarec.example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/miarec.example.com/privkey.pem
   Your cert will expire on 2017-12-26. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"

Note the location of the generated certificate files. In our example, it is /etc/letsencrypt/live/miarec.example.com/.

Step 4 - Install mod_ssl module for Apache

The mod_ssl module is available in apache2-common package. Execute the following command at a terminal prompt to enable the mod_ssl module:

sudo a2enmod ssl

Enable HTTPS for Apache:

sudo a2ensite default-ssl

Step 5 - Configure Apache to use new SSL certificates

Edit file /etc/apache2/sites-available/default-ssl.conf

vim /etc/apache2/sites-available/default-ssl.conf

Modify the parameters SSLCertificateFile, SSLCertificateKeyFile and SSLCertificateChainFile. They should point to the public, private and CA certificate files correspondingly.

Example of configuration (replace miarec.example.com with your domain):

#   Server Public Key:
SSLCertificateFile /etc/letsencrypt/live/miarec.example.com/cert.pem

#   Server Private Key:
SSLCertificateKeyFile /etc/letsencrypt/live/miarec.example.com/privkey.pem

#   Server Certificate Chain:
SSLCertificateChainFile /etc/letsencrypt/live/miarec.example.com/chain.pem

Enable this configuration file and load Apache:

sudo a2ensite default-ssl.conf
sudo service apache2 reload

Step 6 - Open port 443 on firewall

If you are using iptables on this machine, then execute the following commands:

iptables -I INPUT 5 -i eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT

Save all rules into iptables configuration file:

service iptables save

Restart iptables service:

service iptables restart

If you are using ufw firewall, then execute the following commands:

sudo ufw allow https

Step 7 - Force HTTPS for all traffic except internal call event notification (recommended)

Create file /etc/apache2/sites-available/miarec-ssl.conf:

vim /etc/apache2/sites-available/miarec-ssl.conf

Copy/paste the following content into this file:

<VirtualHost *:80>
    RewriteEngine on
    RewriteCond %{HTTP_HOST}%{REQUEST_URI} !^127.0.0.1/notify
    RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [NC,R=301,L]
</VirtualHost>

Enable this configuration file and load Apache:

sudo a2ensite miarec-ssl.conf
sudo service apache2 reload

What is "127.0.0.1/notify" in the rewrite rule? MiaRec uses internally the HTTP protocol for sending call event notifications from recorder engine to a web portal. The above rewrite rule will force HTTPS for all web traffic except internal communication between recorder and web portal.

Step 9 - Configure cron to automatically renew the certificate.

Let’s Encrypt CA issues short-lived certificates (90 days). This tutorial shows how to automatically renew the certificates using cron.

Edit file /etc/crontab:

vi /etc/crontab

Insert the following line to the end of file:

27 5,21 * * * root certbot renew --quiet --no-self-upgrade --post-hook "apachectl graceful"

The example above will run the renew sub-command at 05:27 and 21:27 daily. You can change time to other values. If the certificates are updated, then apache is gracefully restarted.

Reload cron service:

service cron reload

Verify if cron service is started:

service cron status

It should return something like:

cron start/running, process 1105
‹ Enable HTTPS for MiaRec Web portal up Setup free SSL certificate for MiaRec using Let's Encrypt (Centos 6/7) ›
  • Printer-friendly version

Table of Content

  • Administration Guide
    • Hardware requirements
      • Overview
      • All-in-one server
      • Decoupled architecture
      • Decoupled with GEO-redundancy
      • Disk space requirements
    • Installation
      • Ansible-based installation on Linux
        • Overview
        • 1. Prepare controller host
        • 2. Prepare target hosts
        • 3. Configure deployment
        • 4. Run playbooks
        • 5. Verify MiaRec operation
      • VMWare OVA template-based installation (for testing)
      • Deploying MiaRec on Amazon AWS (up to 2,000 users)
        • 1. Network architecture
        • 2. Create VPC
        • 3. Create EC2 instances
        • 4. Configure Elastic IP address
        • 5. Install MiaRec software on EC2 instance
        • 6. Configure Route 53 DNS Failover for web traffic
        • 7. Configure DNS SRV for SIPREC traffic
        • 8. Configure SIPREC recording
        • 9. Configure automatic file relocation to Amazon S3
        • 10. Configure MiaRec replication
        • 11. Configure HTTPS for web server
        • 12. Configure CloudWatch monitoring
        • 13. Disaster recovery plan
      • Installation on Windows
        • Install MiaRec software
        • Configuring NIC for passive recording (port mirroring)
        • Firewall configuration
          • AVG Internet Security
          • BitDefender Internet Security
          • ESET Smart Security 4
    • Update
      • Ansible-based update on Linux
      • Migrate from manual to Ansible-based setup
    • Post-installation tasks
      • Enable HTTPS for MiaRec Web portal
        • Setup free SSL certificate for MiaRec using Let's Encrypt (Ubuntu 14.04)
        • Setup free SSL certificate for MiaRec using Let's Encrypt (Centos 6/7)
        • Setup SSL certificate for MiaRec Web portal on Centos
    • Phone system integration
      • Avaya call recording setup
        • Avaya TSAPI DMCC recording
          • 1. Introduction
          • 2. Configure Avaya Communication Manager
          • 3. Configure Avaya Application Enablement Services
          • 4. Configure MiaRec Call Recording System
          • 5. Verification and Troubleshooting
          • 6. Additional references
        • Avaya TSAPI passive recording
          • 1. Introduction
          • 2. Network Configuration
          • 3. Configure Avaya Communication Manager
          • 4. Configure Avaya Application Enablement Services
          • 5. Configure MiaRec Call Recording System
          • 6. Verification
          • 7. Additional references
      • Broadsoft call recording setup
        • Broadsoft SIPREC recording
      • Cisco call recording setup
        • Cisco active recording (Built-in-Bridge)
          • Overview
          • Cisco phones supporting Built-in-Bridge feature
          • Configure CUCM
            • Create SIP profile for recorder
            • Create SIP Trunk Security Profile
            • Create a SIP Trunk that points to the recorder
            • Create a recording profile
            • Create a route pattern/group for the recorder
              • Single server configuration
              • Multiple servers configuration
            • Enable Built-in-Bridge for all phones (optional)
            • Codecs configuration
          • Configure phones
            • Enable Built-in-Bridge on per-phone basis
            • Enable recording for a line appearance
          • Configure MiaRec
          • Configure firewall
          • Optional configuration
            • Configure tones for recording (optional)
            • [Howto] Configure SIP/TLS for SIP Trunk (optional)
        • Cisco phone services
      • Metaswitch call recording setup
        • Metaswitch SIPREC configuration
        • MiaRec configuration for Metaswitch call recording
        • Ignore Metaswitch internal redirect numbers
        • Automatic user provisioning
        • User authentication using Metaswitch CommPortal
      • Recording announcement service for Cisco
        • Overview
        • Installation guide
          • Player - Configuration
          • CUCM - SIP profile
          • CUCM - SIP Trunk Security Profile
          • CUCM - SIP Trunk
          • CUCM - Route pattern
          • CUCM - Built-in-Bridge (system level)
          • CUCM - TAPI user
          • Controller - Cisco TAPI TSP driver
          • Controller - Verify TAPI configuration
          • Controller - Configuration
      • Soft key integration with phones
        • Overview - Soft keys on IP phones
        • Configure MiaRec phone services
        • Integration with Cisco SPA series phones
        • Integration with Mitel/Aastra phones
        • Integration with Polycom VVX series phones
        • Integration with Yealink phones
        • Softkey integration with Cisco 7900, 7800 and 8800 series phones
          • Overview
          • Create MiaRec IP Phone Service
          • Subscribe each phone to MiaRec phone service
    • User management
      • Understanding user roles and permissions
      • Roles
      • Groups
      • Users
      • Associating calls with users
      • Configuring LDAP integration
      • Multi-tenancy
        • Enable multi-tenancy in MiaRec
        • Understanding multi-tenancy
        • Add tenant
    • Storage management
      • Audio file encryption
        • File encryption overview
        • Configuration check-list
        • Create new encryption key
        • Import encryption key
        • Export encryption key
        • Grant access to encryption key
        • Enable file encryption
        • Backup encrypted files
      • Audio settings
      • Backup and restore
        • Backup call recordings
        • Restore call recordings
      • Location for audio files
        • File name format
        • Time formatting inside file name
      • Replication
        • MiaRec multi-master asynchronous replication
        • Use cases for replication
        • Configuring target server (recipient)
        • Configuring replication server (sender)
      • Retention policy
    • Customization
      • Calls list layout
      • Timezone settings
      • Translate MiaRec to other language
    • Maintenance
      • Troubleshooting
        • Log files
        • MiaRec recorder trace
      • Increase/expand an EXT4 filesystem in RHEL 6 / CentOS 6
      • Increase/expand an XFS filesystem in RHEL 7 / CentOS 7
      • License
      • Performance Monitoring
    • Speech Analytics
      • How it works - Speech Analytics
      • Set up Google Cloud Speech API
      • Create Google Cloud Storage bucket
      • MiaRec configuration
    • MiaRec Architecture
    • Screen Recording
      • How it works
      • Configure licensing
      • Configure storage
      • Configure screen recording settings
      • Generate secure token
        • A single-tenant configuration - generate token
        • A multi-tenant configuration - generate token
      • Install client application
      • Authorize clients
      • Verify screen recording
      • Troubleshooting
        • Troubleshooting on client side
        • Troubleshooting on server side
      • Deploy Screen Capture Client with Windows Group Policy
        • Create a Transform (MST) file
        • Put the MSI and MST files in a file share
        • Create a new GPO
    • High availability
      • Overview
      • High availability for BroadWorks SIPREC recording
      • High availability for Cisco Built-in-bridge recording
MiaRec, Inc. © 2019. All Rights Reserved. | Terms of Use | Privacy Statement | Cancellation Policy