Error when updating LetsEncrypt cert


#1

I’m receiving this error when trying to update my LetsEncrypt certificate:

There was an error updating the certificate: Operation timed out after 30001 milliseconds with 0 out of -1 bytes received

I have port 80 forwarded to my PBX in my router. I also disabled my router firewall and my PBX firewall to troubleshoot. Neither solved the problem. Has anyone else run into this?


#2

Update to current edge firewall/certman and report back:

fwconsole ma upgrade certman firewall --edge

(Shahin Nazir) #3

Hi @Bradbpw
You don’t need to Disable PBX Firewall. Just you need to check some steps and allow ports from PBX Firewall.
1- Admin --> System Admin --> Port Management --> LE Port change Enable it to 80 --> PBX GUI Port HTTP(S) Enable HTTP-8080 and HTTPS-443
2- Connectivity --> Firewall --> Services --> Extra Services --> Let’s Encrypt Select --> Internet / Local and Other --> Save and Apply
3- Follow @jerrm steps.

Thanks.

Shahin


#4

I updated but it did not solve the problem.

[root@freepbx ~]# fwconsole ma upgrade certman firewall --edge
Edge repository temporarily enabled
No repos specified, using: [standard,extended,commercial,unsupported] from last GUI settings

certman is the same as the online version, unable to upgrade
Downloading module ‘firewall’
Processing firewall
Downloading…
349477/349477 [============================] 100%
Finished downloading
Extracting…Done
Download completed in 1 seconds
Generating CSS…Done
Module firewall version 13.0.60.15 successfully installed
Updating Hooks…Done
Updating Hooks…Done
Resetting temporarily repository state

I just disable the firewall to troubleshoot.

  • I have port 80 open for LE in port management
  • in the firewall services I have Internet/Local/Other enabled under LE

I’m still getting the same error.


(Shahin Nazir) #5

Hi @Bradbpw
Pls try to check your FQDN name from WAN Leg. You must see your Router Public IP address.

dig fqdn_name.com

Then you need to redirect Port 80 ( Port Forward or NAT) from Router Firewall --> To --> PBX Internal IP
I think your Router Firewall going to blocks LE Ip addresses ( outbound1.letsencrypt.org and outbound1.letsencrypt.org )

Thanks.

Shahin


#6

Here is the output. I do not see my router’s public IP address.

[root@freepbx ~]# dig fqdn_name.com

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-16.P2.el7_8.6 <<>> fqdn_name.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 21629
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;fqdn_name.com. IN A

;; AUTHORITY SECTION:
com. 899 IN SOA a.gtld-servers.net. nstld.verisign-grs.com. 1602515032 1800 900 604800 86400

;; Query time: 72 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Oct 12 10:04:13 CDT 2020
;; MSG SIZE rcvd: 115

I have port 80 forwarded in my router to my PBX

I tried disabling my router firewall altogether and still received the same error.


(Shahin Nazir) #7

may i ask your PBX or LE FQDN name pls.
Thanks.


(Shahin Nazir) #8

@Bradbpw pls check just in case below wiki page.
https://wiki.sangoma.com/display/FPG/Certificate+Management+User+Guide


#9

I just realized that I was supposed to put my FQDN in the “dig fqdn_name.com” command. Duh. When I do that I can see my router public IP address. I’d rather not post my FQDN on a public forum if I can avoid it.

I have LE and Sangoma mirror services in my PBX firewall as "trusted (excluded from firewall).

When I use an open port check tool it shows that my port 80 is closed. But it also shows that port 921 is closed and that’s my admin/GUI port and it’s definitely open. This has also been working fine for me for several years, I can’t recall that anything has changed in my network setup.


(Shahin Nazir) #10

No Problem, I think now you should ENABLE FreePBX Firewall and add some changes on it.
1st - PBX Firewall check outbound1.letsencrypt.org on the list


2nd - Check On Firewall --> Services --> Lets Encrypt Enable


#11

What is forwarded and allowed through the gateway router?

LetsEncrypt queries can now come from anywhere on the internet. Specifying the just the two “outbound” servers is no longer adequate.

The router needs to forward port 80 for the entire internet.


#12

I changed the firewall settings so the mirrors were “Local (Local Trusted Traffic)”. These were previously “trusted (excluded from firewall)”

I also updated my firewall services to what you showed.

I’m still getting the same error

My ISP is Mediacom. The signal comes in through a Technicolor docsis 3.1 gateway, that firewall is turned off. It then goes to my Asus RT-AC1750_B1 router, I have port 80 forwarded on the router to my PBX. It should forward all TCP traffic.


#13

These entries are pointless now. Access to the entire web is required.

Is the LetsEncrypt service enabled under SysAdmin? Post the output of:

fwconsole sa ports

(Shahin Nazir) #14

@Bradbpw
Pls check my screenshot which one @jerrm mentioned before.
Also pls check your PBX Hostname must be the same as a FQDN name. If not Let’s Encrypt doesn’t works. First you need to fix your PBX Hostname.

16
Thanks.

Shahin


#15

I do have 80 open for LE

[root@pbx ~]# fwconsole sa ports
±---------±------------+
| Port | Name |
±---------±------------+
| 88 | restapps |
| 96 | restapi |
| 81 | ucp |
| 921 | acp |
| 84 | hpro |
| 80 | leport |
| disabled | sslrestapps |
| disabled | sslrestapi |
| 4443 | sslucp |
| 443 | sslacp |
| 1443 | sslhpro |
±---------±------------+

I did not have my hostname in System Admin > Hostname set the same as my LE cert. But I changed it to match the LE cert, rebooted the PBX and I’m still getting the error.

It does look like I’m having some issue with port 80.

[root@pbx ~]# dig pbx.mydomain.com

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-16.P2.el7_8.6 <<>> pbx.mydomain.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56446
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;pbx.mydomain.com. IN A

;; ANSWER SECTION:
pbx.mydomain.com. 0 IN A 127.0.0.1

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Oct 12 13:15:24 CDT 2020
;; MSG SIZE rcvd: 69

[root@pbx ~]# telnet pbx.mydomain.com 80
Trying ::1…
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1…
Connected to pbx.mydomain.com.
Escape character is ‘^]’.
Connection closed by foreign host.
[root@pbx ~]#


#16

Welp! I’m an idiot! I “fat fingered” the PBX IP address in my router when I forwarded port 80. I entered 192.138.x.xxx. It should have been 192.168.x.xxx. That fixed it.

I really appreciate all the help you guys gave me!


#17

Be sure to close all the cracks opened up in testing for admin and letsencrypt…

Assuming you are using the latest edge versions of certman and firewall, NOTHING needs to be enabled on the services page for LetsEncrypt. The pinhole will be automatically opened up during an update request and closed when it completes.


#18

Thanks! Just to confirm, can I delete all 4 of these entries?


#19

Yes.

To test cert updates after tightening things down, run:

fwconsole certificates --updateall --force

If you successfully run the command too many times(4+) the LetsEncrypt server rate limits will temporarily block the cert renewal, but the error message makes it clear what’s happening. It’s mostly harmless, the existing certs continue to work and you can still request certs for new fqdns.


#20

Thanks! I made the changes and confirmed everything still works.