Firewall Module – Improvements in LetsEncrypt certificate management

Hey All,

Just wrote a new blog post on the freepbx.org blog discussing changes to Firewall module to provide better handling of LetsEncrypt certificates. Feel free to read more at:

Best Regards
Kapil

7 Likes

The TL;DR version is that the current edge versions of Certificate Management and Firewall allow LE cert creation and renewal without ANY explicit firewall rules on the PBX. Obviously external firewall/router config is still required.

2 Likes

Anyone that doesn’t use the firewall module (distro and non-distro) needs to hold off on updating.

The current edge cert manager module is broken if the firewall module is not installed.

This is great to see completed, but the blog post verbiage is poorly chosen. That, or the Sangoma tea has a poor understanding of Let’s Encrypt.

Calling this a new behavior from Let’s Encrypt is 100% not true. This change was announced 5 years ago. This was even pointed out in the thread on this community back in March.

Then this bit…

Let’s Encrypt has offered DNS based authentication for years now. It is strictly the choice of Sangoma’s team to use an ACME compatible tool that does not offer that option.

1 Like

Hello,

how is it broken?
I have a new Install and when trying to generate or update a LE Certificate i get an PHP-Error:

“Call to a member function setConfig() on null”

/var/www/html/admin/modules/certman/FirewallAPI.class.php

             * We are waiting Firewall up. 
             * Set timeout at 10" max.
             */
            while ($fw == false && $i < 10){
                $i++;
                $fw = $this->fwobj->getConfig("status");
                sleep(1);
            }
            return $fw;
        }
        
        /**
         * fixeLeFilter
         *
         * @return void
         */
        public function fixeLeFilter($status = 'disabled'){
            $adv = $this->getAdvancedSettings();
            $adv["lefilter"] = $status;
            $this->fwobj->setConfig("advancedsettings", $adv);
            $this->fwobj->restartFirewall();
        }
    }

Can this be related to the not installed Firewall Module?
And how can i generate a certificate without Firewall Module?

I have installed “certman 15.0.25”

Regards

Go back to the stable version, download the current revision from git, or wait for the fix to be pushed to the edge repo.

The updates originally broke functionality if the firewall module was not loaded.

That is fixed in git, but be aware the “auto firewall open” for let’s encrypt only works in conjunction with the firewall module.

If you manage your own firewall rules the updates don’t do anything.

See: https://issues.freepbx.org/browse/FREEPBX-21581

Downgrade with:

fwconsole ma downloadinstall certman --stable

Thank you, worked like a charm :slight_smile:

1 Like

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.