FusionPBX Debian 8 Install Guide
Overview
I will show how to install FusionPBX on Debian 8 as well as obtain free Let’s Encrypt SSL, and setup some basic FusionPBX settings.
FusionPBX Installation
Upgrade Debian 8, Install Git, download FusionPBX install script, and run it
apt-get update && apt-get upgrade -y --force-yes
apt-get install -y --force-yes git
cd /usr/src
git clone https://github.com/fusionpbx/fusionpbx-install.sh.git
chmod 755 -R /usr/src/fusionpbx-install.sh
cd /usr/src/fusionpbx-install.sh/debian
./install.sh
After install, use the generated username/password to login to web UI, go to the navigation and do the following
Advanced -> Upgrade, select the checkbox for App defaults then execute.
Go to Status -> SIP Status, and start the SIP profiles
Go to Advanced -> Modules, and find the module Memcached and click start.
Let’s Encrypt Installation
Install Lets Encrypt for NGINX
cd /usr/src/
git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
cd /opt/letsencrypt
chmod a+x ./certbot-auto
mkdir /etc/letsencrypt
cd /etc/letsencrypt/
mkdir -p configs
cd configs
Edit the default conf file Change domains = domain.tld.conf
to your domain like unifi.example.com.conf
. Also change email = youremail
nano /etc/letsencrypt/configs/yourdomain.com.conf
# the domain we want to get the cert for;
# technically it's possible to have multiple of this lines, but it only worked
# with one domain for me, another one only got one cert, so I would recommend
# separate config files per domain.
domains = domain.tld.conf
# increase key size
rsa-key-size = 2048 # Or 4096
# the current closed beta (as of 2015-Nov-07) is using this server
server = https://acme-v01.api.letsencrypt.org/directory
# this address will receive renewal reminders
email = youremail
# turn off the ncurses UI, we want this to be run as a cronjob
text = True
# authenticate by placing a file in the webroot (under .well-known/acme-upatechallenge/)
# and then letting LE fetch it
authenticator = webroot
webroot-path = /var/www/letsencrypt/
Next, edit FusionPBX’s NGINX configuration file
nano /etc/nginx/sites-available/fusionpbx
Add this after the ssl_ciphers line:
location /.well-known/acme-challenge {
root /var/www/letsencrypt;
}
Reload and check Nginx
nginx -t && nginx -s reload
That should output
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
Next run the Let’s Encrypt wizard to obtain SSL cert Change domain.tld.conf
to your domain like unifi.example.com.conf
cd /opt/letsencrypt
./letsencrypt-auto --config /etc/letsencrypt/configs/domain.tld.conf certonly
Comment out and add the following to NGINX config as shown below
nano /etc/nginx/sites-available/fusionpbx
#ssl_certificate /etc/ssl/certs/nginx.crt;
#ssl_certificate_key /etc/ssl/private/nginx.key;
ssl_certificate /etc/letsencrypt/live/domain.tld/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/domain.tld/privkey.pem;
Now create script to renew SSL cert automatically
cd /etc/fusionpbx
nano renew-letsencrypt.sh
Example script Change domain.tld.conf
to your domain like unifi.example.com.conf
#!/bin/sh
cd /opt/letsencrypt/
./certbot-auto --config /etc/letsencrypt/configs/domain.tld.conf certonly --non-interactive --keep-until-expiring --agree-tos --quiet
if [ $? -ne 0 ]
then
ERRORLOG=`tail /var/log/letsencrypt/letsencrypt.log`
echo -e "The Let's Encrypt cert has not been renewed! \n \n" \
$ERRORLOG
else
nginx -s reload
fi
Make the renwal script executable
chmod +x renew-letsencrypt.sh
Create cronjob to run it once per week
crontab -e
Add this add end of crontab file
30 2 * * 1 /etc/fusionpbx/renew-letsencrypt.sh
FusionPBX Basic Configuration
Disable or Remove IPv6 if not needed
Web GUI: Advanced > SIP Profiles > interal-ipv6
Web GUI: Advanced > SIP Profiles > external-ipv6
Enable global username
Allows you to log in to any domain from any URL as long as username is unique
Advanced > default settings -> Add > category: user
subcategory: unique
type: text
value: global
Then click Reload
Enable Provisioning
Advanced -> Default Settings
Edit Provision subcat: enabled -- change enabled: false to enabled: true
Create device provisioning whitelists
This limits the IP addresses that can download phone configurations (which contain SIP secrets). Very important security measure if not IP whitelisting at the network level already.
Advanced > default settings -> Add > category: provision
subcategory: cidr
type: array
value: ip/32
How to edit settings per domain
This is how to create domain level settings. It works the same as Advanced -> default settings, but at a domain level. For example, you can add the whitelist above to apply to a specific domain, otherwise the whitelist will apply to all domains if set in default settings.
Advanced > domains > pencil (edit) > (+) add per domain setting