So I’m having issues with the Lets Encrypt certificates not changing out on the web portal.
I Leave my firewall port forward disabled until it’s time to renew. I then turn it back on every 60ish days, renew the cert manually(with the update cert button) then turn the port forward back off. I’ve been doing this for a couple years and never had any issues until about 2 months ago.
My certificate is renewed but the pbx won’t change the certificate to the new one and it’s like it’s stuck with the old expired cert. I’ve tried deleting the cert from the gui, making the self signed cert the default, recreating a new LE cert and making it back as default. Nothing works, the old one is just stuck there on the web front end.
When you browse to the site it’s using an old cert that I can’t get rid of and it’s not replacing with the new one.
I haven’t tried anything from cmd as I don’t even know where to start and don’t want to break anything.
Coincidentally, ‘about two months ago’ LetsEncrypt no longer sends challenges from any guessable IP.
FreePBX are struggling to fix this, @jerrm claims a fix for HTTP-01 right now but it’s off the reservation. Personally I would spend an hour setting up DNS-01 rather than waste the hours that everyone seems to be pulling their hair out and at some point in time ‘pull your pants down’ unnecessarily, and move to DNS-01 thusly never ever have to worry about firewalls or manual updates again cos it’s all done with the collusion of your name service account and your trust in them (and theirs in you ) ( you have a name service, right? )
(Unfortunately, nobody seems to like that solution for whatever reasons, go figure . . . but if there is one person out there who would care to go a little further off the reservation, I will happily join him/her on the journey, brief as it will be)
My preference would be integrated dns-01 as well, but my gut says there is less than a snowball’s chance Sangoma will go that route. Would love to be wrong.
Maybe they’ll consider it after they realize how problematic the current kludge is.
Happy to work with you to patch your script for DNS-01, there is only a finite number of DNS providers and my guess 99% + of our readers are ready go out of the gate, “reductio ad absurdum” , nail vultr,DO,Amazon,namecheap,cloudflare, google,1&1,godaddy will only leave a very few with “their pants down” and vulnerable every 60 days, no your certs are blatently NOT private think about that . . .
put the cert and the key in /etc/asterisk/keys named whatever.csr and whatever.key
fwconsole certificates updateall
fwconsole certificates import
fwconsole --default=0
fwconsole r
should cover Asterisk, FreePBX , tls, webrtc and other things set to use /etc/asterisk/keys/integration or /etc/asterisk/keys , I can’t speak for the distro webserver but possibly that needs to be HUP’ped also
Getting the certs can then be whatever floats your boat, in your case you did hundreds over a few days on dozens of machines, with DNS-01, that would only need one machine and an appropriate ‘distribution script’ likely rsync or mussh and your replacement of incron, perfect place to trigger the update script
Of course if you only have one machine , you can do the same locally every <= 90 days
I will check this out. I’m pretty sure it’s running but I definitely need to check.
I don’t currently have Nameservers that support an api for using dns-01 but I’m planning to switch to one pretty soon. After I do that I’ll be using ha proxy that will handle all of my cert’s at the perimeter so I won’t need this functionality. I agree dns-01 is the way to go and have been planning on this move for some time but I’ve been on other projects.
I’m currently using google domains(not gcp domains). But will be moving to azure as that’s where most of out infrastructure is at and it’s on .50 a month. Trying to cut down on things being spread all over, if it makes sense.
That is exactly what I’m planning on doing. We have many domains but not all of them have utilities that need subdomains, but exactly as you said cnames are very handy for that. I use pfsense at the edge so it will handle everything nicely. Have my home set up with it and it’s great for multi cert\host proxying.
Just using it for on prem user’s to access their dashboard. No external access. And while there might be cheaper options, imho there’s something to be said for managing most of your assets from one location.
) ( you have a name service, right? )
think about that . . .