Let's Encrypt - Can't generate new cert, ACME v1 EOL per LE

configuration
Tags: #<Tag:0x00007fafc85a8438>

(B. Martinez) #1

I spun up a new fpbx 15 server today, during setup of SSL via LE it kept failing. Banged my head on the wall for awhile and even reloaded from scratch again, still no dice.

Found out the reason is because fpbx is using ACME v1 which is EOL. They shut off the v1 registration servers today. They will turn back on tomorrow, then permanently off on Nov 8. ALSO, Renewals of all existing certs will no longer function June 1 2021 unless using ACME v2.

Is there an update to fix this? I was fully up to date, short of using 15.


(Lorne Gaetz) #2

Please open a ticket, as far as I know this is not on development’s radar:
https://issues.freepbx.org/


(Tom Ray) #3

I’m not trying to be a hard ass about this but seriously, what?! Let’s Encrypt is a built-in feature of FreePBX and there are no development plans for making that built-in feature function properly? If Acme v1 is what is in FreePBX now and it is dying in 6 days why wouldn’t there be any plans for this to be updated?

Are you saying that after building this into FreePBX and pushing it hard for people to use Sangoma is just going to let users not be able to renew (or possibly install new) certs?!


(B. Martinez) #4

I opened ticket:

https://issues.freepbx.org/browse/FREEPBX-20719

I believe this should be a high priority for dev; a LOT of systems are going to go down when their certs pop and most people are probably unaware this bomb is coming. A notice should be floated in the dashboard of FPBX too about this. Anyone using a LE cert will likely have their system possibly go down altogether if they are using TLS or any other encryption using that Cert with their endpoints.


(Lorne Gaetz) #5

Thank you.

Is nobody reading the page linked above? Renewals will continue to work for some time on ver. 1, it’s only new accounts that will cease this month.


(B. Martinez) #6

Are you serious? Why the snark? Did you read what I wrote in the bug report? I wrote that NEW certs stop NOV 8. RENEWALS stop JUNE 1. That WILL break (TAKE DOWN) any system using LE. It also PREVENTS anyone from spinning up a new system and using LE for SSL. In addition they are also blocking unauthenticated requests too (unclear on if staging which is soon, impacts production or not, total blocking starts next year). NOBODY will know this is coming, just like YOU didn’t know this was coming until I brought this up. A lot of people will wake up to downed systems, a notice warning everyone in the dashboard would be nice. Even if this is fixed, everyone will have to update to get said fix, and many may not be aware.


(Lorne Gaetz) #7

In June of 2021 we will entirely disable ACMEv1


(B. Martinez) #8

Sigh. I corrected that date.

Renewals have an extra year; Though they will randomly block renewals once per month as the end draws near. New registrations still won’t work as of NOV 8 2019 (6 days from today). They blocked registrations altogether for the past 24 hours.

In addition, anyone that tries and is blocked must clear out their /etc/asterisk/_account/ folder to later generate a new cert. Even though they lifted yesterday’s block, I still could not generate a new cert until doing so.


(Jared Busch) #9

I don’t know why they have to use some custom ACME script. Certbot is fully featured, able to be automated, and fully updated externally to Sangoma devs.


(B. Martinez) #10

Have you had success using Certbot on fpbx systems? I need to find an alternate method for using LE on FPBX 14/15 since I doubt a fix will be inbound anytime soon and I need to roll out new systems regularly for clients.


(TheJames) #11

https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-centos-7 it is an EL system…


(Jared Busch) #12

It requires manual intervention after the cert is renewed, but yes. I use it on my company PBX now.

I use certbot because the updated protocols it uses lets my Yealink phones recognize the certificate, unlike the built in FreePBX process.

Some of the newest phones work with the built in LE cert, but not the T4G series.

Here is where i posted baout setting up my system with certbot.


#13

Try

its got all you need and just works including auto renewal, use --deploy-hook to deploy your certs to where Sangoma wants them

(edit:- Actually, it won’t matter where Sangoma wants the certs as acme.sh can easily set apache up and asterisk can be handled with the available hooks to link them into /etc/asterisk/keys)


(Andrew Nagy) #14

Well because it’s baked into Certificate Manager. Which is a FreePBX module. Which can’t directly control Apache/Asterisk to install certificates because it doesn’t run as the root user.

The standalone plugin requires root to bind port 80 or 443, although on Linux you could also grant CAP_NET_BIND_SERVICE to the relevant user.

Certbot’s Apache and Nginx plugins normally require root both for making temporary and persistent changes to webserver configurations, and to perform graceful reload events for those servers.

There’s always a reason for everything, using certbot is perfectly ok if you know how to work with the CLI. Some users don’t. Certificate Manager and sysadmin and Certbot don’t play together well because Sysadmin is the authority over apache.conf files not certbot.

Certificate Manager uses a PHP Library called analogic/lescript. This has been updated to ACME v2. It could be as easy as updating the dependency.


(B. Martinez) #15

That’s good news then!

In the interim before the module is updated, are you saying yum update will address the library in question then or is it more involved than that (or was that speculation on your part)? I did update all modules (yum update) when I spun up the instance a couple days ago fwiw. Was looking to take a stab at this as I spin up systems pretty regularly and the 8th is coming up quick.


(system) closed #16

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.


(Lorne Gaetz) #17

This issue is showing as resolved in Certificate Management versions:
certman v13.0.40
certman v14.0.5
certman v15.0.15

https://issues.freepbx.org/browse/FREEPBX-20719


Let's Encrypt bug is back? No registration exists matching provided key","status":403