I’ll admit that my config might be screwed. This is our PBX and I often test things out on it more than I should, instead of spinning up a test system.
So someone take a look and tell me what I may have done wrong.
Got the email saying cert failed to renew.
Assuming your certman and firewall modules are up to date, then there is only one specific firewall config required. The firewall advanced setting, “Responsive LetsEncrypt Rules” must be enabled. If it is then the firewall temporarily allows inbound LE token requests on port 80 while the LE cert renewal is in progress. Obviously any external firewalls must also be configured to pass port 80 traffic.
Pretty much always. and always before I post an issue.
And it was not. I never changed this, and the system has been upgraded over time from FreePBX 14. SO it was disabled by default when the setting was added.
Just confirmed that the default setting is enabled on a new firewall module install, is it possible you disabled the setting yourself, possibly long before it was hooked automatically by certman?
When I submitted the pull request for my le rule changes to replace the version that was crashing the firewall, I didn’t give an option to enable or disable le rules (they were always enabled).
There were some comments from QA about not being able to disable them, so I reworked into what you now see. I’m pretty happy with current structure. It gives the end user control over what the firewall actually does and removes some naive assumptions about port usage of the original Sangoma approach.
A mistake was using the existing lerules db flag for the new “responsive le rules”. The original Sangoma le rules had the option disabled by default. I changed the flag to enabled by default, but folks that upgraded the firewall during the period the original Sangoma lerules were in the wild, and did not enable the original le rules setting may find the new “responsive lerules” disabled.
I should have created a new db setting that wouldn’t have been inherited at all. If you dig through the tickets and commit comments, I’m pretty sure I brought the potential issue up, but didn’t make a fuss about it.
Most all the work was on the firewall side of the fence. I didn’t do anything with the messaging in certman itself, but adding a warning that the responsive lerules are disable makes sense.
Thanks @jerrm, that explains the change. The current defaults are correct, but will cause confusion in the near term. I have a ticket open now to get the GUI check back and ensure a warning is displayed in Certman if you’re using LE certs and the advanced setting is disabled.
Nothing to get back, AFAIK there was never a check. Make it a public ticket - no promises, but now that it annoys me, a PR may show up if it’s a boring TV night.
Going back through git, I see the prior warnings - they had been removed before I started making changes.
I can restore something similar, but there are valid configs that would be OK without lerules enabled. I’m a UI minimalist and cringe at a having an invalid warning up all the time.
Now that the GUI LE output is readable, I would lean toward adding more descriptive suggestions upon failure, something like showing any or all of the following as appropriate if the update fails:
Internet zone access is not enabled for the LetsEncrypt service. Enabling Responsive LetsEncrypt Rules is recommended at Firewall->Advanced Settings.
Responsive LetsEncrypt Rules are not enabled. Responsive LetsEncrypt Rules can be enabled at Firewall->Advanced Settings.
LetsEncrypt will always send challenge queries to port 80, but no http service is listening on port 80. FreePBX http services are currently listening on ports 81, 84, 8080. Certificate requests will fail unless an up stream firewall or proxy redirects port 80 to a listening http port.
Stayed at home babysitting the past couple of days and hacked at this. Just posted a PR on the above ticket. Added comments and screen shots to the ticket.
Take a look and tear it apart. Still not entirely happy with some of the text, but think it’s good enough.
You don’t have to dedicate port 80 to LE renewal (and never had to), but you must have some apache service using 80. I know that admin and UCP work for sue, and I suspect the others work as well but don’t recall ever testing.
Then I think that is something that needs tweaked. Honestly the entire LE line in sysadmin should go away and the responsive rule should handle it all. including adding something for port 80 if there is nothing.
The rules only open the port in the firewall. There has to be something actually listening on the port to respond.
As @lgaetz said, that something has to be one of the apache http services. Technically it doesn’t have to be port 80, but if it isn’t you have to make sure the external firewall/proxy is forwarding port 80 to the listening port and there will need to be an outbound forwarding rule set up on the FreePBX box as well.
I think the error message should be reasonably clear at this point, but let me know if any suggestions to help clarify.
But then what to do if you don’t use the firewall module? Or what to do if you have another non-FreePBX service on port 80?
Too much auto-magic is bad. I’d rather not have arbitrary limits set for what I can do.
I just ran “fwconsole firewall lerules enable” on the command line and boom, certificates renew. I have been dealing with this for a LONG TIME until just now.