GraphQL Documentation generation showing an error

garethqct · February 18, 2022, 12:47pm

Hi All,

I’m wanting to have a play around with the API in FreePBX 16. I’m trying to get to the documentation but am struggling.

I’m heading to Connectivity > API > Scope Visualizer and ticking the GraphQL Tree
Then going to GraphQL documentation and hitting the “generate Documentation” button but I get an error along the following lines

The command "node /var/www/html/admin/modules/api/node/index.js -e https://<FQDN>/admin/api/api/gql -o /var/www/html/admin/modules/api/docs -x" Authorization: Bearer <BIG LONG KEY> failed. Exit Code: 1 (General error) working directory: var/www/html/admin output: ================ Error Output: ================ [0m [31m ✗ certificate has expired [0m [0m
File:/var/www/html/admin/libraries/Composer/vendor/symfony/process/Process.php:235

Clearly this looks like a TLS cert error, the server is running with a lets encrypt cert. I’ve enabled REST/GraphQL on port 2443 and have restarted a couple of times for good measure.

Does anyone have any idea where to start looking to fix this?

mbrooks · February 18, 2022, 9:53pm

Did you redact the FQDN? Or was that the actual command it ran?

mbrooks · February 18, 2022, 10:04pm

The first thing that comes to mind is to make sure your system’s root ca certificates are up to date. This could be the let’s encrypt bug we saw last September. RHEL/CentOS 7 Fix for Let’s Encrypt Change | by Dorai Ashok S A | Dev Genius

yum update ca-certificates

garethqct · February 18, 2022, 10:52pm

Sorry, I should have made that clear, yes I removed the FQDN, it was correct in the original error.

I have updated everything but will give that update a go just in case the ca-certs package got missed for some reason. (and have a read of the article you linked to!)

garethqct · February 18, 2022, 10:57pm

No dice there unfortunately. I get “no packages marked for update” so it looks like that’s on top.

As a slight aside I have spun up another VM on v16, installed lets encrypt and get the same problem. If I get chance I’ll try it on a clean install without setting up LE first.

mbrooks · February 19, 2022, 1:54am

Is this SNG7?

garethqct · February 19, 2022, 8:45am

It is yes,

cat /etc/system-release;
Sangoma Linux release 7.8.2003 (Core)

garethqct · February 19, 2022, 9:07am

I’m reading through the article you linked too and;

It says that OpenSSL 1.1.x and newer are not affected. installed version is 1.0.2k-fips dated 26 Jan 2017! That seems really quite old my ubuntu boxes seem to be on a version from 31 Mar 2020 and even that feels like it’s a bit long in the tooth now! (7 releases behind by the looks of it)

ca-certificates is at 2021.2.50 72e17_9 which according to the article is the version that fixes this issue.

grep 'DST Root CA X3' /etc/pki/tls/certs/ca-bundle.crt doesn’t show anything so I think the offending cert is not in the ca-bundle

I don’t think therefore that it is a regression.

lgaetz · February 20, 2022, 3:30pm

I appear to have repro’d this
https://issues.freepbx.org/browse/FREEPBX-23336

Are you able to browse graphql docs if you login via http instead of https?

garethqct · February 21, 2022, 8:50am

Hey Lorne,

Good catch, Yes, I can confirm that http works as expected.

Just had a look at the issue you opened and I would note that I’m on v16 so it appears to be v15 and v16 that are affected.

I think this will allow me to do what I need to but I’m happy to help work out a fix if you tell me what you need me to do.

CMCLAIN · February 26, 2022, 5:24pm

I work remotely and only have access through https://

Do you know of a work around?

lgaetz · February 27, 2022, 7:01pm

If you have ssh, you could create a SOCKS tunnel and browse http thru the tunnel. Access Sangoma Phones over VPN - #3 by lgaetz

system · March 30, 2022, 7:01pm

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.