FreePBX UK Documentation • Last Updated 10th May 2026
Every FreePBX UK instance is built from a tested snapshot image and then hardened, personalised, and secured automatically before access is provided. The entire process takes around seven minutes and requires no manual intervention. Here is exactly what happens.
Provisioning completes in stages. While early access is available, the system may still be initialising and is not guaranteed to be in a fully stable state until validation completes.
Each instance is built through a controlled, repeatable provisioning pipeline. The steps below describe the exact lifecycle from initial image creation to final delivery. Nothing is concealed.
Snapshot
Image Preparation
✓
Base ImageA fresh Debian 12 droplet is provisioned on DigitalOcean and FreePBX 17 with Asterisk 22 is installed using IN1CLICK 1.3.2 by 20tele.com.
This is the foundation image that all customer instances are cloned from.
✓
IN1CLICK Pre-FlightBefore installation, IN1CLICK runs over 20 automated checks covering OS version, architecture, memory, disk space, hostname, existing services, APT sources, and network connectivity.
Blocks Debian 13 (trixie) upgrades, fixes non-official APT mirrors, removes provider mirror lists, and stops unattended-upgrades to prevent lock conflicts.
✓
Mirror GateIN1CLICK verifies FreePBX module mirrors and deb.freepbx.org are stable with 3 consecutive health checks via mirrors.in1.click before proceeding.
Prevents failed installs caused by unstable or degraded Sangoma mirrors. Includes Saturday busy period warnings.
✓
FreePBX InstallFreePBX 17 is installed using the official Sangoma installer, followed by a full module upgrade and reload.
Includes Ctrl+C trap for clean failure handling, APT lock wait checks, and screen session support for SSH resilience during install.
✓
Apache and GUIApache modules are enabled, FreePBX site config activated, root redirect to /admin/ added, and the setup page is verified with up to 3 retries.
Includes ionCube Loader error detection and automatic reconfiguration if the default Apache page is served instead.
✓
IN1CLICK Self-CleanupThe installer removes itself from disk after completion, scanning common paths and the full filesystem for stray copies.
Asterisk logs and system mail are cleared. Bash history is wiped. No trace of the installation script remains.
✓
Locale and TimezoneSystem locale is set to en_GB.UTF-8 and timezone to Europe/London.
Ensures dates, times, and character encoding are correct for UK operations.
✓
SwapA swap file is created and enabled permanently, sized to the instance tier.
1GB for Nano², 2GB for Micro⁴, 4GB for Macro⁸, 8GB for Mega¹⁶. Prevents out-of-memory crashes during peak call volume.
✓
FirewallThe FreePBX firewall is configured with my-console.freepbxhosting.uk added to the internal trusted zone.
Allows FreePBX UK management access through the firewall from the console server.
✓
DatabaseStale FreePBX notifications are cleared from the database.
Removes old notification entries so the customer starts with a clean dashboard.
✓
Permissions and ReloadFile ownership is reset with fwconsole chown, configuration is reloaded, and FreePBX is restarted.
Ensures every file has the correct permissions and all services are running cleanly before the snapshot.
✓
Log PurgeAll system logs, journal entries, Asterisk logs, and temporary files are purged.
The snapshot is completely clean. No build history, no stale logs, no temporary files.
✓
ShutdownBash history is cleared and the server is powered off cleanly before the snapshot is taken.
The snapshot captures a pristine, powered-down state ready for cloning.
✓
UpdatesSnapshots are rebuilt on a weekly basis with the latest Debian system packages and FreePBX module updates.
Every new instance starts with current security patches and module versions. No day-one updates required.
Boot 1
Server Creation and Hardening
✓
NetworkCloud network management is disabled and DNS resolvers are set to Cloudflare and Google (IPv4 and IPv6).
Prevents the hosting provider from overwriting your network settings on future boots. resolv.conf is rebuilt directly and cloud-init network management is locked out permanently via 99-disable-network-config.cfg.
✓
HostnameYour server is assigned a unique .freepbxhosting.uk hostname.
Used for reverse DNS, mail headers, and system identification.
✓
SSHRoot password login is disabled. Only SSH key authentication is permitted.
The root password is replaced with a 32-byte cryptographic random string that nobody knows.
✓
Mail RelayA temporary outbound mail relay is configured so the server can send its provisioning report.
Uses SMTP2GO on port 2525 with TLS encryption and SASL authentication. Removed after use.
✓
needrestartThe needrestart utility is installed so you can identify which services require a restart after future updates.
Run needrestart at any time to see if any running processes are using outdated libraries following a manual apt upgrade.
✓
Auto Security UpdatesDebian security patches will apply automatically. General Debian updates, FreePBX, and Asterisk are excluded.
Configured via /etc/apt/apt.conf.d/52unattended-upgrades-freepbxuk. Security-only origins, no automatic reboot, freepbx17 and asterisk* explicitly blacklisted. You retain full control over manual apt upgrades and FreePBX module updates.
✓
ServicesPost-boot services are registered to handle FreePBX restart, credential rotation, and reporting.
Two systemd oneshot services are enabled: freepbxUK-once and provisioning-report.
✓
RebootThe server reboots to apply all changes cleanly.
All hardening changes applied in Boot 1 take full effect from a clean start. Boot 2 begins immediately on restart.
Boot 2
FreePBX Restart and Credential Rotation
✓
StabilisationThe server waits 120 seconds for all FreePBX services to fully initialise after the snapshot restore.
Snapshot-based deployments need time for PM2, Asterisk, and the database to settle.
✓
FreePBX RestartFreePBX is stopped, started, and reloaded to properly register all PM2 services.
This fixes a known issue where RestApps and UCP fail to register with PM2 after a snapshot restore.
✓
AMI CredentialsThe Asterisk Manager Interface username and password are randomised.
15-character alphanumeric username, 30-character alphanumeric password. Set via fwconsole setting so all config files are updated consistently.
✓
ARI CredentialsThe Asterisk REST Interface username and password are randomised.
ARI is exposed via HTTP and is the most security-critical interface to protect. Each instance gets unique credentials.
✓
Database CredentialsThe FreePBX database user password is randomised and written back into /etc/freepbx.conf.
A 24-byte base64 password is generated via openssl rand, applied to the freepbxuser MySQL account, and the new value is patched directly into freepbx.conf. A live connection test confirms FreePBX can authenticate before provisioning continues. If the test fails, the script exits immediately rather than continuing with a broken system — a hard fail-safe at the most critical point in provisioning.
✓
Module SecretsAll internal AMI module secrets are regenerated in the database.
Seven manager entries (CDRPro, SangomaRTAPI, BrowserPhone, ASTState, Realtime, QueueEvents, AMIDefault) receive unique SHA1 hashes. The firewall entry is preserved.
✓
TimezoneThe FreePBX timezone is set to Europe/London and the PHP ini is updated to match.
Sets PHPTIMEZONE via fwconsole and writes date.timezone to the Apache and CLI PHP ini files using the exact format the SysAdmin module expects. Ensures CDR timestamps, the SysAdmin GUI clock, and all PHP date functions display correct local time including automatic BST/GMT switching. Apache is restarted to pick up the PHP change.
✓
Config Rebuildfwconsole reload regenerates manager.conf, manager_additional.conf, and extensions_additional.conf.
All configuration files are rebuilt from the new credentials. Nothing is left pointing at the old defaults.
✓
RebootThe server reboots so FreePBX starts fresh with the new credentials.
This ensures zero PM2 restart errors and a clean service state.
Boot 3
Verification, Reporting, and Cleanup
✓
Service CheckAll core services are verified: Asterisk, MySQL, Apache, Fail2Ban, Firewall, Postfix, RestApps, UCP.
The report probes Asterisk every 2 seconds until it confirms a connection, then proceeds immediately.
✓
Provisioning EmailA status report is emailed to FreePBX UK confirming the instance is online and all services are running.
Sent from [email protected] via SMTP2GO relay. Includes hostname, IP, individual service status, and PM2 restart count. Also includes a second-accurate provisioning timeline: Boot 2 online, FreePBX stop/start/reload, AMI and ARI credential change, config rebuild, reboot, Boot 3 online, FreePBX started, services verified, and email sent. Every step is timestamped from the journal.
✓
SMTP CleanupThe temporary SMTP2GO relay configuration is removed from Postfix.
relayhost cleared, sasl_passwd and sasl_passwd.db deleted, all SASL options removed.
✓
Cloud-Init CleanupAll cloud-init traces are removed so no provisioning data remains on disk.
The entire cloud instance directory is removed along with user-data.txt, cloud-config.txt, obj.pkl, runcmd scripts, and cloud-init logs.
✓
Mail CleanupMailboxes, mail logs, and the mail queue are purged.
No record of the provisioning email remains on the server.
✓
Script CleanupAll provisioning scripts and systemd unit files delete themselves. Bash history is cleared.
provisioning-ami.sh, provisioning-report.sh, provisioning-cleanup.sh, freepbxUK-once.service, and provisioning-report.service are all removed. Syslog, kern.log, Asterisk logs, and journald entries referencing provisioning are scrubbed, including rotated and compressed log files. The journal is rotated and vacuumed.
Result
What the Customer Receives
✓
A fully operational FreePBX 17 instance on Asterisk 22, Debian 12.
✓
Unique AMI and ARI credentials. No two instances share the same passwords.
✓
SSH hardened with key-only access and a randomised root password.
✓
All PM2 services online with zero restart errors.
✓
Timezone correctly set to Europe/London across the OS, FreePBX, and PHP.
✓
No provisioning scripts, credentials, or setup traces left on the server.
✓
A clean, production-ready system with nothing to configure before use.
Verify
No Trace
✓
We invite you to verify this yourself. Run the following as root on any fresh instance to confirm that no provisioning scripts, credentials, cloud-init data, log entries, or systemd services remain. The check scans the full filesystem and journal — if provisioning has done its job, every item passes.
bash -c 'PASS=0;FAIL=0; GREEN="\033[0;32m"; RED="\033[0;31m"; NC="\033[0m"; p(){ echo -e "${GREEN}[OK]${NC} $1"; PASS=$((PASS+1)); }; f(){ echo -e "${RED}[ISSUE]${NC} $1"; FAIL=$((FAIL+1)); }; echo ""; echo "FreePBX Provisioning Verification"; echo "----------------------------------"; echo "This check confirms your server is clean and no setup artefacts remain."; echo ""; echo "System cleanup:"; [ ! -f /root/provisioning-ami.sh ] && p "Setup scripts removed" || f "Setup script still present"; [ ! -f /root/provisioning-report.sh ] && p "Reporting scripts removed" || f "Reporting script still present"; [ ! -f /root/provisioning-cleanup.sh ] && p "Cleanup process completed" || f "Cleanup script still present"; echo ""; echo "Background services:"; systemctl list-unit-files 2>/dev/null | grep -q freepbxUK-once && f "Setup service still exists" || p "No setup services remain"; systemctl list-unit-files 2>/dev/null | grep -q provisioning-report && f "Reporting service still exists" || p "No reporting services remain"; echo ""; echo "Cloud provisioning data:"; [ ! -d /var/lib/cloud/instance ] && p "Instance data removed" || f "Instance data still present"; [ ! -d /var/tmp/cloud-init ] && p "Temporary cloud files removed" || f "Temporary cloud files still present"; echo ""; echo "Mail configuration:"; postconf relayhost 2>/dev/null | grep -qE "relayhost = *$" && p "Mail relay cleared" || f "Mail relay still configured"; [ ! -f /etc/postfix/sasl_passwd ] && p "No stored mail credentials remain" || f "Mail credentials file still exists"; echo ""; echo "Timezone:"; fwconsole setting PHPTIMEZONE 2>/dev/null | grep -q "Europe/London" && p "PHPTIMEZONE set to Europe/London" || f "PHPTIMEZONE not set correctly"; grep -q "date.timezone = \"Europe/London\"" /etc/php/*/apache2/php.ini 2>/dev/null && p "PHP ini timezone correct" || f "PHP ini timezone not set correctly"; timedatectl | grep -q "Europe/London" && p "OS timezone set to Europe/London" || f "OS timezone not set correctly"; echo ""; echo "Logs and traces:"; grep -qi freepbxUK /var/log/cloud-init.log 2>/dev/null && f "Provisioning references found in cloud-init log" || p "No provisioning references in cloud-init log"; grep -qi freepbxUK /var/log/cloud-init-output.log 2>/dev/null && f "Provisioning references found in cloud-init output log" || p "No provisioning references in cloud-init output log"; echo ""; echo "Filesystem scan (full disk):"; echo "Searching for: freepbxUK, my-droplet, provisioning-(ami.sh, report.sh, cleanup.sh)"; SP="/-\\|"; i=0; (grep -RIlE "freepbxUK|my-droplet|provisioning-(ami\.sh|report\.sh|cleanup\.sh)" / --exclude-dir=proc --exclude-dir=sys --exclude-dir=dev --exclude-dir=run --exclude-dir=/var/lib/apt/lists 2>/dev/null > /tmp/.prov_scan & PID=$!; while kill -0 $PID 2>/dev/null; do i=$(( (i+1) %4 )); printf "\rScanning... %s" "${SP:$i:1}"; sleep 0.2; done; wait $PID); echo ""; if [ -s /tmp/.prov_scan ]; then f "Provisioning artefacts found on disk"; head -n 10 /tmp/.prov_scan; else p "No provisioning artefacts found on disk"; fi; rm -f /tmp/.prov_scan; echo ""; echo "Journal scan:"; journalctl 2>/dev/null | grep -qiE "freepbxUK|my-droplet|provisioning-(ami\.sh|report\.sh|cleanup\.sh)" && f "Provisioning references found in journal" || p "No provisioning references in journal"; echo ""; echo "Boot history:"; BOOT_COUNT=$(journalctl --list-boots 2>/dev/null | wc -l); [ "$BOOT_COUNT" -ge 2 ] && p "Multiple boot cycles detected ($BOOT_COUNT boots)" || f "Expected multiple boot cycles, found only $BOOT_COUNT"; echo ""; echo "Core services:"; asterisk -rx "core show version" >/dev/null 2>&1 && p "Asterisk running" || f "Asterisk not running"; systemctl is-active mariadb >/dev/null 2>&1 && p "MariaDB running" || f "MariaDB not running"; systemctl is-active apache2 >/dev/null 2>&1 && p "Web server running" || f "Web server not running"; systemctl is-active fail2ban >/dev/null 2>&1 && p "Fail2Ban active" || f "Fail2Ban not running"; echo ""; echo "----------------------------------"; if [ "$FAIL" -eq 0 ]; then echo -e "${GREEN}[OK] All checks passed. Your server is clean and fully provisioned.${NC}"; else echo -e "${RED}[ISSUE] Some checks failed. Review the items above.${NC}"; fi; echo ""'Sample output:
root@my-droplet:~# bash -c '...' FreePBX Provisioning Verification ---------------------------------- This check confirms your server is clean and no setup artefacts remain. System cleanup: [OK] Setup scripts removed [OK] Reporting scripts removed [OK] Cleanup process completed Background services: [OK] No setup services remain [OK] No reporting services remain Cloud provisioning data: [OK] Instance data removed [OK] Temporary cloud files removed Mail configuration: [OK] Mail relay cleared [OK] No stored mail credentials remain Timezone: [OK] PHPTIMEZONE set to Europe/London [OK] PHP ini timezone correct [OK] OS timezone set to Europe/London Logs and traces: [OK] No provisioning references in cloud-init log [OK] No provisioning references in cloud-init output log Filesystem scan (full disk): Searching for: freepbxUK, my-droplet, provisioning-(ami.sh, report.sh, cleanup.sh) [OK] No provisioning artefacts found on disk Journal scan: [OK] No provisioning references in journal Boot history: [OK] Multiple boot cycles detected (2 boots) Core services: [OK] Asterisk running [OK] MariaDB running [OK] Web server running [OK] Fail2Ban active ---------------------------------- [OK] All checks passed. Your server is clean and fully provisioned. root@my-droplet:~#
FreePBX UK is the UK's only Official FreePBX® Partner, powered by DigitalOcean. Prices shown exclude VAT.