FOP2 SSL WebSocket Failures: The Hidden RSA Certificate Requirement (Humanized)

By /

FOP2 SSL WebSocket Failures: The Hidden RSA Certificate Requirement

Published: 2026-02-19
Applies to: FOP2 v2.31.50 and earlier
Environment: Any (Docker, bare metal, VM)

What Went Wrong

I set up FOP2 (Flash Operator Panel 2), got SSL certificates from Let’s Encrypt, and everything looked good—until I tried to actually use it. The page loaded fine, but the WebSocket connection kept failing. Browser console filled up with cryptic errors about mixed content and WebSocket failures.

Hours of troubleshooting later, I found the culprit: FOP2 v2.31.50 only supports RSA certificates, not ECDSA (Elliptic Curve) certificates.

Since 2024, Let’s Encrypt defaults to ECDSA certificates. They’re more secure and efficient, but FOP2’s SSL library simply doesn’t understand them. So you get silent SSL handshake failures that send you down rabbit holes.

What You’ll See

  1. Browser Console Errors:

    Mixed Content: The page was loaded over HTTPS, but attempted to connect to the insecure WebSocket endpoint
WebSocket connection failed
wss://your-server:4445/ request blocked

  2. OpenSSL Shows Nothing:

    openssl s_client -connect your-server:4445
# Returns:
# no peer certificate available
# SSL handshake has read 0 bytes

  3. FOP2 Seems Fine: Process runs, but SSL isn’t actually working

  4. Authorization Errors: authorized=0 in browser console even with correct credentials

Why This Happens

Certificate Type FOP2 Support Let’s Encrypt Default
RSA (2048/4096 bit) ✅ Supported ❌ Must specify
ECDSA (256 bit) ❌ Not Supported ✅ Default since 2024

FOP2 Version Tested: 2.31.50

The Fix: Use RSA Certificates

Check Your Current Certificate

openssl x509 -in /etc/letsencrypt/live/your-domain/fullchain.pem -noout -text | grep "Public-Key"
  • RSA: Shows Public-Key: (2048 bit) or (4096 bit) ← Working
  • ECDSA: Shows Public-Key: (256 bit) ← Problem!

Reissue with RSA

sudo certbot --apache \
  --key-type rsa \
  --rsa-key-size 4096 \
  --cert-name your-domain \
  -d your-domain \
  --email your-email@domain.com \
  --agree-tos \
  --redirect \
  -n

Docker users:

docker exec -it <container_id> certbot --apache \
  --key-type rsa \
  --rsa-key-size 4096 \
  --cert-name your-domain \
  -d your-domain \
  --email your-email@domain.com \
  --agree-tos \
  --redirect \
  -n

Update FOP2 Configuration

Edit /usr/local/fop2/fop2.cfg:

ssl=yes
ssl_certificate_file=/etc/letsencrypt/live/your-domain/fullchain.pem
ssl_certificate_key_file=/etc/letsencrypt/live/your-domain/privkey.pem

Restart FOP2

# Stop any running instance
pkill -f fop2_server

# Start fresh
/usr/local/fop2/fop2_server -d

# Or run in foreground to see errors
/usr/local/fop2/fop2_server -f

Test SSL

openssl s_client -connect your-domain:4445

You should see certificate details now instead of “no peer certificate available.”

Troubleshooting Checklist

Is FOP2 Running?

ps aux | grep fop2
netstat -tlnp | grep 4445

Test SSL/TLS

# Should show certificate chain
openssl s_client -connect your-domain:4445

# Check certificate type
openssl x509 -in /path/to/cert.pem -noout -text | grep "Public Key Algorithm"

Test WebSocket in Browser

Open FOP2 page → F12 Console → paste:

const ws = new WebSocket('wss://your-domain:4445');
ws.onopen = () => console.log('Connected');
ws.onerror = (e) => console.log('Error:', e);
ws.onclose = (e) => console.log('Closed:', e.code, e.reason);

Check Certificate Files

ls -la /etc/letsencrypt/live/your-domain/
namei -l /etc/letsencrypt/live/your-domain/fullchain.pem

Check FOP2 Configuration

/usr/local/fop2/fop2_server -t

Check FOP2 Logs

tail -f /usr/local/fop2/log/fop2.log

Certificate Types at a Glance

┌─────────────────────────────────────────────────────────────┐
│  RSA Certificate (GOOD)                                     │
│  Public Key Algorithm: rsaEncryption                        │
│  Public-Key: (4096 bit)                                     │
│  Works with FOP2                                            │
└─────────────────────────────────────────────────────────────┘

┌─────────────────────────────────────────────────────────────┐
│  ECDSA Certificate (BAD for FOP2)                           │
│  Public Key Algorithm: id-ecPublicKey                       │
│  Public-Key: (256 bit)                                      │
│  Not supported in FOP2 v2.31.50                             │
└─────────────────────────────────────────────────────────────┘

Additional Notes

FOP2 Users File

Create /usr/local/fop2/fop2-users.cfg:

[admin]
secret=your_secure_password
extension=100
context=from-internal
permit=0.0.0.0/0

Manager Configuration

Add to /etc/asterisk/manager.conf:

[fop2]
secret=your_password
deny=0.0.0.0/0.0.0.0
permit=127.0.0.1/255.255.255.255
read = all
write = all

Future Support

FOP2 v2.31.50 doesn’t support ECDSA. Future versions might, but for now you need RSA certificates for SSL/WSS to work.

Bottom line: Check your certificate type first when debugging FOP2 SSL issues. It’ll save you hours.

Quick Reference

Check Command
Certificate type openssl x509 -in cert.pem -noout -text \| grep "Public-Key"
SSL handshake openssl s_client -connect domain:4445
FOP2 running? ps aux \| grep fop2
Config test /usr/local/fop2/fop2_server -t
Fix certificate certbot --key-type rsa --rsa-key-size 4096 ...

Tested on FreePBX 17 + Asterisk 22 in Docker, but applies to any FOP2 installation.

Keywords: FOP2, SSL, WebSocket, RSA, ECDSA, Let’s Encrypt, FreePBX, Asterisk, certificate, wss

Related Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top