Quick SSL Setup Guide

This guide assumes you have configured your DNS properly to point to the server you wish to secure. It will assume you are using Apache to serve MonsterUI and as a reverse proxy for Crossbar (the API server) for SSL termination.

Let's Encrypt Cert Setup

We'll use Let's Encrypt to generate a free SSL certificate for us. See these instructions for a more detailed guide.

# First, get the script from EFF
sudo wget -O /usr/local/sbin https://dl.eff.org/certbot-auto

# Make it executable
sudo chmod a+x /usr/local/sbin/certbot-auto

Setup Let'sEncrypt and Apache

To start an interactive session to setup the certificate for your domain (in this case, kazoo.mycompany.com):

certbot-auto --apache -d kazoo.mycompany.com

Certificates will be installed to `/etc/letsencrypt/live`


Let's Encrypt certificates are valid for 90 days. Triggering the renewal process is straight-forward:

certbot-auto renew

Setup auto-renewal in the form of a cronjob:

sudo crontab -e
30 2 * * 1 /usr/local/sbin/certbot-auto renew >> /var/log/le-renew.log

Setup Apache as a reverse proxy

Having Apache (or any HTTP server) proxy the requests for the API server makes sense. You can manage your certificates in fewer places and API servers can come and go since each request is independent of any others (no state shared between requests on a given API server).

We create two VirtualHost entries, one for serving MonsterUI assets and one for proxying to Crossbar.


<VirtualHost *:443>
    ServerName kazoo.mycompany.com:443

    DocumentRoot /var/www/html/monster-ui

    SSLEngine on
    SSLCertificateKeyFile "/etc/letsencrypt/live/kazoo.mycompany.com/privkey.pem"
    SSLCertificateFile "/etc/letsencrypt/live/kazoo.mycompany.com/cert.pem"

    <Directory />
        #Options FollowSymLinks
        Options Indexes FollowSymLinks Includes ExecCGI
        AllowOverride All
        Order deny,allow
        Allow from all

API Reverse Proxy

Be sure to replace the IPs with the IP Crossbar is using.

<VirtualHost *:8443>
    ServerName kazoo.mycompany.com:8443
    ProxyPreserveHost On

    SSLEngine on
    SSLCertificateKeyFile "/etc/letsencrypt/live/pdx.2600hz.com/privkey.pem"
    SSLCertificateFile "/etc/letsencrypt/live/pdx.2600hz.com/fullchain.pem"

    ProxyPass /
    ProxyPassReverse /

Reconfigure MonsterUI and the Apps

Once you've reloaded Apache, you'll want to update MonsterUI's config.js:

vim /var/www/html/monster-ui/js/config.js
# Update api_url to 'https://kazoo.mycompany.com:8443/v2'

And re-init the apps:

# Re-initialize Monster Apps
sup crossbar_maintenance init_apps \
/var/www/html/monster-ui/apps \

Edit this page here