I’m wanting to have a play around with the API in FreePBX 16. I’m trying to get to the documentation but am struggling.
I’m heading to Connectivity > API > Scope Visualizer and ticking the GraphQL Tree
Then going to GraphQL documentation and hitting the “generate Documentation” button but I get an error along the following lines
The command "node /var/www/html/admin/modules/api/node/index.js -e https://<FQDN>/admin/api/api/gql -o /var/www/html/admin/modules/api/docs -x" Authorization: Bearer <BIG LONG KEY> failed. Exit Code: 1 (General error) working directory: var/www/html/admin output: ================ Error Output: ================ [0m [31m ✗ certificate has expired [0m [0m
Clearly this looks like a TLS cert error, the server is running with a lets encrypt cert. I’ve enabled REST/GraphQL on port 2443 and have restarted a couple of times for good measure.
Does anyone have any idea where to start looking to fix this?
Did you redact the FQDN? Or was that the actual command it ran?
The first thing that comes to mind is to make sure your system’s root ca certificates are up to date. This could be the let’s encrypt bug we saw last September. RHEL/CentOS 7 Fix for Let’s Encrypt Change | by Dorai Ashok S A | Dev Genius
yum update ca-certificates
Sorry, I should have made that clear, yes I removed the FQDN, it was correct in the original error.
I have updated everything but will give that update a go just in case the ca-certs package got missed for some reason. (and have a read of the article you linked to!)
No dice there unfortunately. I get “no packages marked for update” so it looks like that’s on top.
As a slight aside I have spun up another VM on v16, installed lets encrypt and get the same problem. If I get chance I’ll try it on a clean install without setting up LE first.
It is yes,
Sangoma Linux release 7.8.2003 (Core)
I’m reading through the article you linked too and;
It says that OpenSSL 1.1.x and newer are not affected. installed version is 1.0.2k-fips dated 26 Jan 2017! That seems really quite old my ubuntu boxes seem to be on a version from 31 Mar 2020 and even that feels like it’s a bit long in the tooth now! (7 releases behind by the looks of it)
ca-certificates is at 2021.2.50 72e17_9 which according to the article is the version that fixes this issue.
grep 'DST Root CA X3' /etc/pki/tls/certs/ca-bundle.crt doesn’t show anything so I think the offending cert is not in the ca-bundle
I don’t think therefore that it is a regression.
I appear to have repro’d this
Are you able to browse graphql docs if you login via http instead of https?
Good catch, Yes, I can confirm that http works as expected.
Just had a look at the issue you opened and I would note that I’m on v16 so it appears to be v15 and v16 that are affected.
I think this will allow me to do what I need to but I’m happy to help work out a fix if you tell me what you need me to do.
I work remotely and only have access through https://
Do you know of a work around?
If you have ssh, you could create a SOCKS tunnel and browse http thru the tunnel. Access Sangoma Phones over VPN - #3 by lgaetz
This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.