Astervis Docs
Configuration

SSL Certificates

Configure HTTPS with self-signed or Let's Encrypt certificates

Astervis uses HTTPS by default. Choose between self-signed certificates (quick setup) or Let's Encrypt (production).

Certificate Types

TypeBest ForRequirements
Self-SignedTesting, internal useNone
Let's EncryptProductionDomain name, DNS access
CustomEnterpriseYour own certificate files

Self-Signed (Default)

Generated automatically during installation. Works immediately but shows browser warning.

Regenerate Certificate

sudo astervis-installer ssl --regenerate

Certificate Location

/opt/astervis/nginx/ssl/server.crt
/opt/astervis/nginx/ssl/server.key

Browser Warning

Users will see "Your connection is not private" warning. Click AdvancedProceed to continue.

Self-signed certificates are secure for encryption. The warning only means the certificate isn't verified by a Certificate Authority.

Let's Encrypt

Free, trusted certificates. Requires a domain name pointing to your server.

Prerequisites

  1. Domain name (e.g., pbx.company.com)
  2. DNS A record pointing to your server IP
  3. Port 80 accessible (for verification)

DNS Challenge with DNSimple

If port 80 is blocked, use DNS challenge:

1. Get DNSimple API Token

Go to dnsimple.com → Account → API Tokens → Generate

2. Configure Astervis

sudo nano /opt/astervis/.env

Add:

SERVER_IP=pbx.company.com
DNSIMPLE_TOKEN=your_dnsimple_api_token

3. Request Certificate

sudo astervis-installer ssl --letsencrypt --domain pbx.company.com

HTTP Challenge

If port 80 is open:

sudo astervis-installer ssl --letsencrypt --domain pbx.company.com --http

Certificate Renewal

Let's Encrypt certificates expire every 90 days. Astervis auto-renews every 60 days.

Check renewal status:

docker exec astervis-certbot certbot certificates

Manual renewal:

docker exec astervis-certbot certbot renew

Custom Certificate

Use your own certificate files.

Copy Certificate Files

sudo cp your-certificate.crt /opt/astervis/nginx/ssl/server.crt
sudo cp your-private-key.key /opt/astervis/nginx/ssl/server.key

Set Permissions

sudo chmod 600 /opt/astervis/nginx/ssl/server.key
sudo chmod 644 /opt/astervis/nginx/ssl/server.crt

Restart Nginx

cd /opt/astervis
docker compose restart nginx

Verify Certificate

Check Certificate Info

openssl x509 -in /opt/astervis/nginx/ssl/server.crt -text -noout | head -20

Check Expiration

openssl x509 -in /opt/astervis/nginx/ssl/server.crt -enddate -noout

Test HTTPS

curl -kv https://localhost:8443/health 2>&1 | grep "SSL certificate"

Troubleshooting

Certificate Not Trusted

Cause: Self-signed certificate or Let's Encrypt not properly configured.

For self-signed: Expected behavior. Users must accept the warning.

For Let's Encrypt: Check DNS records point to correct IP:

dig +short pbx.company.com

Port 80 Blocked

Solution: Use DNS challenge instead of HTTP challenge:

sudo astervis-installer ssl --letsencrypt --domain pbx.company.com --dns

Certificate Renewal Failed

Check logs:

docker logs astervis-certbot

Common causes:

  • DNS records changed
  • API token expired
  • Port 80 blocked (for HTTP challenge)

Mixed Content Warning

Cause: HTTP resources loaded on HTTPS page.

Solution: Ensure all URLs use HTTPS. Check BETTER_AUTH_URL in .env:

BETTER_AUTH_URL=https://pbx.company.com:8443

Previous

MySQL Configuration

Next

Real-time Sync

On this page