Automatic TLS Certificate Renewal on Your VICIdial Server

Let's Encrypt DNS-01 certificates on your VICIfast branded subdomain renew automatically. Here is what happens behind the scenes so HTTPS never lapses.

An expired TLS certificate on a Branded subdomain knocks your agents offline. Browsers refuse to load HTTPS pages with expired certs, and the WebRTC Webphone will not connect without a valid certificate on the WebSocket endpoint. For a live floor, that is not a cosmetic warning; it is a hard stop on calling until the certificate is replaced. VICIfast handles renewal automatically so this failure mode is removed from your operations checklist entirely.

Why DNS-01 instead of HTTP-01

Let's Encrypt offers several challenge types. The most common, HTTP-01, requires the domain to be reachable over port 80, which adds attack surface with no benefit on a Single tenant VICIdial VPS whose web interfaces run on HTTPS only. DNS-01 proves domain ownership by writing a TXT record in DNS instead, so no inbound HTTP traffic is required. VICIfast uses Cloudflare to manage DNS records for customer subdomains, which makes the DNS-01 challenge straightforward to automate: write the TXT record, wait for verification, receive the certificate, remove the record.

How the renewal sequence works

sequenceDiagram
  participant Scheduler
  participant VICIfast
  participant Cloudflare
  participant LetsEncrypt
  participant Server
  Scheduler->>VICIfast: Trigger renewal check (30 days before expiry)
  VICIfast->>LetsEncrypt: Request new certificate (DNS-01)
  LetsEncrypt-->>VICIfast: Return DNS challenge token
  VICIfast->>Cloudflare: Write _acme-challenge TXT record
  LetsEncrypt->>Cloudflare: Verify TXT record
  LetsEncrypt-->>VICIfast: Issue new certificate
  VICIfast->>Cloudflare: Remove _acme-challenge TXT record
  VICIfast->>Server: Install new certificate
  Server-->>VICIfast: Reload Asterisk + web server
  VICIfast-->>Scheduler: Renewal complete

When renewal runs

Let's Encrypt certificates have a 90-day validity window. VICIfast's scheduler triggers a renewal check 30 days before expiry. That leaves two full retry windows in case of a transient DNS propagation delay or an ACME API rate limit — the scheduler will retry with exponential backoff on failure, and a second renewal attempt can run with 15 days still remaining before expiry. If renewal has not succeeded with 10 days left, the platform alerts the on-call team so there is time for manual intervention before any agent session is affected.

What gets the new certificate

Two services on the server use the TLS certificate: nginx, which fronts the VICIdial admin interface and agent screen over HTTPS, and Asterisk's built-in HTTP server, which handles the WebSocket endpoint (wss, port 8089) that the browser Webphone connects through. After a new certificate is installed, both services reload their TLS configuration. Agents connected at the time of the reload stay connected — the old certificate is not removed until the new one is confirmed loaded and serving. This means there is no brief window where agents get a certificate error mid-session during a renewal.

Coverage during provisioning

The initial certificate is not a separate step after Provisioning completes. It is part of the automated deploy sequence itself. By the time your Branded subdomain URL arrives in your welcome email, the certificate is already installed, both nginx and Asterisk are serving over TLS, and the Managed hosting scheduler has already registered the renewal job. There is no plain HTTP window and no follow-up step you need to take to enable HTTPS. The first agent who logs in is already on a valid, secure connection.

If you are on a BYOI (bring your own infrastructure) plan and pointing VICIfast at your own server, the same DNS-01 renewal process applies to your subdomain. The Cloudflare DNS records are still managed by VICIfast, so renewal is automatic regardless of where the VPS lives.

No manual renewal tasks

You do not set a calendar reminder to renew your cert. You do not run certbot manually. You do not touch DNS records. VICIfast's renewal scheduler handles the entire sequence and alerts the platform, not you, if renewal fails. The only time you would hear about a certificate issue is if something went wrong that required manual intervention, which would come as a support notification rather than as a surprised agent staring at a browser warning.

Why this belongs with the host

Certificate renewal is a small task that fails in a large way. It runs every few months, it is easy to forget, and the cost of forgetting is your whole floor offline at once. That profile, low effort but high blast radius, is exactly the kind of work that should sit with the party that already owns the box. Because every account is Single tenant and tied to its own subdomain, the certificate is yours alone and nothing about your renewal depends on another customer's VPS.

The result is one less thing to track. The HTTPS that protects your admin, your agents, and your Webphone traffic simply stays valid for the life of the account, the same way the rest of the Provisioning and maintenance does. It is part of running the infrastructure, which is the half of the job VICIfast takes on so you can spend your attention on the calling.

See what VICIfast adds to VICIdial for a complete picture of what managed hosting covers. For more on how the branded subdomain is set up from the start, read VICIfast branded subdomain HTTPS. Pricing for all plans is at /pricing.