Free TLS certificates for a cloud VICIdial box
Let's Encrypt provides free, auto-renewing TLS certificates that secure the VICIdial agent and admin web interfaces over HTTPS on any cloud server.
VICIdial's agent screen, admin panel, and recording playback all run over HTTP by default. On a local network that is tolerable. On a cloud server reachable over the public internet, you want HTTPS. Browsers will flag the site as insecure without it, and agent logins will transmit credentials in plain text. Let's Encrypt solves this at no cost with certificates that renew automatically.
This guide covers issuing a certificate, wiring it into Apache (which VICIdial uses), and enabling SIP-TLS for encrypted signaling. For the full picture of cloud VICIdial deployments, see running VICIdial in the cloud.
Prerequisites
You need a working A record pointing your subdomain at the server's public IP — port 80 and 443 must be reachable from the internet so Let's Encrypt's HTTP-01 challenge can complete. If your firewall (or cloud security group) blocks port 80, the challenge will fail. You do not need port 80 open permanently after the first issuance if you switch to DNS-01 challenge renewal, but HTTP-01 is simpler for most setups.
Issuing the certificate with Certbot
flowchart TD
A[Subdomain A record resolves to server IP] --> B[Port 80 open in firewall]
B --> C[Run certbot --apache -d your.subdomain.com]
C --> D{HTTP-01 challenge passes?}
D -->|Yes| E[Certificate issued to /etc/letsencrypt/live/]
D -->|No| F[Check firewall and DNS propagation]
E --> G[Apache reloaded with HTTPS vhost]
G --> H[Systemd timer auto-renews every 60 days]# Install certbot on Ubuntu 22.04
apt install -y certbot python3-certbot-apache
# Issue certificate and let certbot edit Apache config
certbot --apache -d dialer.yourcompany.com
# Verify auto-renewal timer is active
systemctl status certbot.timerCertbot will write a new Apache virtual host config for port 443 and add a redirect from port 80. The certificate files land in /etc/letsencrypt/live/dialer.yourcompany.com/. A systemd timer runs twice daily and renews any certificate within 30 days of expiry. You do not need to touch the certificate again unless you change the domain.
Pointing VICIdial at the certificate
VICIdial's Apache config in /etc/apache2/sites-enabled/ needs to reference the correct certificate files. Certbot's Apache plugin handles this automatically when you run it with --apache. If you issued the certificate manually (standalone mode), copy the certificate paths into your VirtualHost block for port 443 using the SSLCertificateFile, SSLCertificateKeyFile, and SSLCertificateChainFile directives.
SIP-TLS for encrypted call signaling
HTTPS secures the browser UI. The SIP signaling that sets up calls is a separate channel. SIP-TLS SIP over TLS encrypts that signaling layer so that call setup messages — which include caller IDs, dialed numbers, and credentials — are not readable by anyone watching the network. To enable SIP-TLS in Asterisk, you reference the same Let's Encrypt certificate from the tlscertfile and tlsprivatekey fields in sip.conf or pjsip.conf. Your carrier also needs to support TLS on their SIP peer. Note that SIP-TLS encrypts signaling; SRTP SRTP is the separate layer that encrypts the audio stream itself.
Troubleshooting a failed renewal
The most common renewal failure is a firewall rule that got tightened after the initial certificate issuance. Let's Encrypt needs to reach port 80 on your server to complete the HTTP-01 challenge. If you locked port 80 down after getting the first certificate, renewal will fail silently until you notice the certificate is expired. Run certbot renew --dry-run monthly to catch this before expiry. The dry-run uses the same challenge mechanism as a real renewal but does not write a new certificate.
A second cause is a DNS change that left the subdomain pointing at the wrong IP. If you rebuilt the server or reassigned the IP, the A record must be updated before renewal will succeed. Let's Encrypt's ACME protocol verifies the domain resolves to the IP that serves the challenge file, so an outdated DNS record causes an immediate failure.
When the DNS is managed for you
On a managed VICIdial platform, the DNS record and TLS certificate for your branded subdomain Branded subdomain are provisioned automatically as part of server setup. You do not run Certbot, and there is no renewal to monitor — the platform handles it. The certificate is issued via DNS-01 challenge (which works without opening port 80) and renewed before expiry. If you are self-managing, pointing a subdomain at your cloud VICIdial box covers the DNS setup that must happen before Certbot can issue.
If certificate management is one more thing you would rather not own, VICIfast plans include a provisioned TLS certificate on your branded subdomain from day one — no Certbot steps required.
About VICIfast LLC
VICIfast LLC operates a managed VICIdial hosting + BYOI service for outbound and inbound call centers. We run the dialers, the carriers, the recordings pipeline, and the compliance plumbing so operators don’t have to.
Citing this article
VICIfast Engineering. “Free TLS certificates for a cloud VICIdial box”. VICIfast LLC, June 29, 2026. Retrieved from https://vicifast.com/blog/vicidial-cloud-letsencrypt-tls
Have questions?
Related posts
You might be interested in
VICIfast newsletter
Liked this? Get the next one in your inbox.
We ship the kind of stuff you just read — concrete, numbers-first, no drip. One email when a new post goes live. Unsubscribe in one click.
Comments
No comments yet — be the first.