LE Certs Wont Change


(Jonathan Anderson) #1

So I’m having issues with the Lets Encrypt certificates not changing out on the web portal.

I Leave my firewall port forward disabled until it’s time to renew. I then turn it back on every 60ish days, renew the cert manually(with the update cert button) then turn the port forward back off. I’ve been doing this for a couple years and never had any issues until about 2 months ago.

My certificate is renewed but the pbx won’t change the certificate to the new one and it’s like it’s stuck with the old expired cert. I’ve tried deleting the cert from the gui, making the self signed cert the default, recreating a new LE cert and making it back as default. Nothing works, the old one is just stuck there on the web front end.

When you browse to the site it’s using an old cert that I can’t get rid of and it’s not replacing with the new one.
05%20PM

I haven’t tried anything from cmd as I don’t even know where to start and don’t want to break anything.


#2

LE renewals are broken.

Clicking “Update Certificate” from the GUI may work.

See Firewall keep getting disable and Some Certificates are Expiring

Follow and up vote the ticket at https://issues.freepbx.org/browse/FREEPBX-21683


(Jonathan Anderson) #3

My certificate is renewed. The firewall is not blocking. The internal pbx webserver is not changing the old cert out for the new one.

The renewed Cert


(Jonathan Anderson) #4

The cert set as default


#5

Coincidentally, ‘about two months ago’ LetsEncrypt no longer sends challenges from any guessable IP.

FreePBX are struggling to fix this, @jerrm claims a fix for HTTP-01 right now but it’s off the reservation. Personally I would spend an hour setting up DNS-01 rather than waste the hours that everyone seems to be pulling their hair out and at some point in time ‘pull your pants down’ unnecessarily, and move to DNS-01 thusly never ever have to worry about firewalls or manual updates again cos it’s all done with the collusion of your name service account and your trust in them (and theirs in you :slight_smile: ) ( you have a name service, right? )

(Unfortunately, nobody seems to like that solution for whatever reasons, go figure . . . but if there is one person out there who would care to go a little further off the reservation, I will happily join him/her on the journey, brief as it will be)


#6

My preference would be integrated dns-01 as well, but my gut says there is less than a snowball’s chance Sangoma will go that route. Would love to be wrong.

Maybe they’ll consider it after they realize how problematic the current kludge is.


#7

Make sure the firewall is actually running. One manifestation of the renewal bug is that the system is left with the firewall completely disabled.


#8

Happy to work with you to patch your script for DNS-01, there is only a finite number of DNS providers and my guess 99% + of our readers are ready go out of the gate, “reductio ad absurdum” , nail vultr,DO,Amazon,namecheap,cloudflare, google,1&1,godaddy will only leave a very few with “their pants down” and vulnerable every 60 days, no your certs are blatently NOT private :wink: think about that . . .


#9

No need for my script with dns-01, It’s only purpose is to enable the existing GUI functionality on non-Distro machines.

At this point it’s sort of sad that my bolt-on lewatch.sh non-distro solution works better than the official “integrated” Distro solution.

I’m not sure Sangoma really appreciates the severity of the bug.

It is not just about whether certs get renewed. Their bug crashes the firewall and leaves the system COMPLETELY OPEN!!!.

Yet the ticket is still classified as “minor” priority.


#10

Recipe simple

clean out /etc/asterisk/keys/*

get a cert by whatever means

put the cert and the key in /etc/asterisk/keys named whatever.csr and whatever.key

fwconsole certificates updateall
fwconsole certificates import
fwconsole --default=0
fwconsole r

should cover Asterisk, FreePBX , tls, webrtc and other things set to use /etc/asterisk/keys/integration or /etc/asterisk/keys , I can’t speak for the distro webserver but possibly that needs to be HUP’ped also

Getting the certs can then be whatever floats your boat, in your case you did hundreds over a few days on dozens of machines, with DNS-01, that would only need one machine and an appropriate ‘distribution script’ likely rsync or mussh and your replacement of incron, perfect place to trigger the update script

Of course if you only have one machine , you can do the same locally every <= 90 days


(Jonathan Anderson) #11

I will check this out. I’m pretty sure it’s running but I definitely need to check.

I don’t currently have Nameservers that support an api for using dns-01 but I’m planning to switch to one pretty soon. After I do that I’ll be using ha proxy that will handle all of my cert’s at the perimeter so I won’t need this functionality. I agree dns-01 is the way to go and have been planning on this move for some time but I’ve been on other projects.


#12

My I ask what nameservice you are currently using?

is pretty cheap though and handily does DNS-01


#13

If you service multiple domains, keep in mind that you only need to move or create a single domain at an api supported provider.

If you have multiple clients and move “myutilitydomain.com” to cloudflare, with the magic of cname records “myutilitydomain.com” can handle the automated requests for client1domain.com, client2domain.com, client3domain.biz, mybusinessdomain.com, mypersonaldomain.com, etc.

Its all pretty easy with acme.sh, just no GUI.

https://github.com/acmesh-official/acme.sh/wiki/DNS-alias-mode.


#14

(Be aware that wildcard certs generally won’t work for TLS service like SIPS or WebRTC, well, they work for the TLD but the subdomains, nor so much.)


(Jonathan Anderson) #15

I’m currently using google domains(not gcp domains). But will be moving to azure as that’s where most of out infrastructure is at and it’s on .50 a month. Trying to cut down on things being spread all over, if it makes sense.

That is exactly what I’m planning on doing. We have many domains but not all of them have utilities that need subdomains, but exactly as you said cnames are very handy for that. I use pfsense at the edge so it will handle everything nicely. Have my home set up with it and it’s great for multi cert\host proxying.


#16

cloudflare much less than .50, wildcards fine for webby stuff, not so much for securing VOIP.


#17

Didn’t mean to imply wildard certs. I don’t use them.


#18

Sorry, I reread.


(Jonathan Anderson) #19

Just using it for on prem user’s to access their dashboard. No external access. And while there might be cheaper options, imho there’s something to be said for managing most of your assets from one location.


#20

That’s fine, 50 cents is 50 cents , replacing http-01 is my aim The point is most anyone can do DNS-01 for free.