Lets Encrypt Cert expired: Renewing "appears" to work, but multiple browsers show expired


#1

Lets Encrypt Cert expired and didn’t automatically renew.

1 Tried deleting and requesting a new cert
2. Tried updating from CLI fwconsole certificates --updateall


(Jared Busch) #2

If you deleted the cert, then you need to go into SysAdmin and apply the new one.


#3

Is this a ‘distro’ ?

fwconsole certificate --import # imports any properly named certs and keys you dropped in 
                                 /etc/asterisk/keys for non 'distro' like thingies
fwconsole certificate --updateall #will renew any that it has bailiwick over if it can 
fwconsole certificate --list # LISTS all certs/keys available even broken ones
fwconsole certificate --default=N # selects the cert you want to use

#4

Did that, multiples times


#5

FreePBX 15.0.16.72
Port Management: LetsEncrpt = Port 80
Toggled LetsEncrypt Rules in Firewall Advanced
Tried FreePBX and CLI
Cert Management shows “2020-10-19 (55 days)”
Cleared Browser cache
Browser: NET::ERR_CERT_DATE_INVALID Expires on: Aug 19, 2020


#6

Does your web browser’S SSL configuration point to the right files in /etc/asterisk/keys ?


#7

As far as I can tell, yes


#8

Then you shouldn’t get that message , I suggest you check it .


#9

Check what? Thanks


#10

If you are using apache2/httpd as your webserver, somewhere in its config for the server listening on port 443 will need to have

SSLCertificateFile "/etc/asterisk/keys/www.example.com.cert"
SSLCertificateKeyFile "/etc/asterisk/keys/www.example.com.key

where www.example.com will be replaced with the “good” key/cert pair


#11
  1. Make sure the correct cert is selected in the GUI: Admin->System Admin->HTTPS Setup->Settings->Certificate Manager.

  2. Click the “Install” button on the above even if it looks correct.

  3. Check the running apache cert locally:

echo | openssl s_client -showcerts -connect localhost:443 | openssl x509 -inform pem -noout -enddate
  1. If above still shows an expired cert, manually reload apache:
systemctl reload httpd
  1. Repeat step 3

#12

Thank you, this worked


(system) closed #13

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.