I’m wanting to have a play around with the API in FreePBX 16. I’m trying to get to the documentation but am struggling.
I’m heading to Connectivity > API > Scope Visualizer and ticking the GraphQL Tree
Then going to GraphQL documentation and hitting the “generate Documentation” button but I get an error along the following lines
The command "node /var/www/html/admin/modules/api/node/index.js -e https://<FQDN>/admin/api/api/gql -o /var/www/html/admin/modules/api/docs -x" Authorization: Bearer <BIG LONG KEY> failed. Exit Code: 1 (General error) working directory: var/www/html/admin output: ================ Error Output: ================ [0m [31m ✗ certificate has expired [0m [0m
File:/var/www/html/admin/libraries/Composer/vendor/symfony/process/Process.php:235
Clearly this looks like a TLS cert error, the server is running with a lets encrypt cert. I’ve enabled REST/GraphQL on port 2443 and have restarted a couple of times for good measure.
Does anyone have any idea where to start looking to fix this?
Sorry, I should have made that clear, yes I removed the FQDN, it was correct in the original error.
I have updated everything but will give that update a go just in case the ca-certs package got missed for some reason. (and have a read of the article you linked to!)
No dice there unfortunately. I get “no packages marked for update” so it looks like that’s on top.
As a slight aside I have spun up another VM on v16, installed lets encrypt and get the same problem. If I get chance I’ll try it on a clean install without setting up LE first.
I’m reading through the article you linked too and;
It says that OpenSSL 1.1.x and newer are not affected. installed version is 1.0.2k-fips dated 26 Jan 2017! That seems really quite old my ubuntu boxes seem to be on a version from 31 Mar 2020 and even that feels like it’s a bit long in the tooth now! (7 releases behind by the looks of it)
ca-certificates is at 2021.2.50 72e17_9 which according to the article is the version that fixes this issue.
grep 'DST Root CA X3' /etc/pki/tls/certs/ca-bundle.crt doesn’t show anything so I think the offending cert is not in the ca-bundle