FreePBX 15.0.17.24 / all modules up to date. I’m running pfSense 2.5.0
I’m getting a critical dialog in the FreePBX Dashboard that says:
Security Issue: Some certificates are expiring or have expired. This is a critical issue and should be resolved urgently.
There was an error updating certificate “www.fqdn.com”: Self test error: Pest_NotFound - 404 Not Found
404 Not Found
nginx
There was an error updating certificate “www.anotherfqdn.com”: Self test error: Pest_NotFound - 404 Not Found
404 Not Found
nginx Resolve
Port 80 (TCP) is forwarded to FreePBX temporarily on pfSense. In the Certificate Management module in the FreePBX GUI, there are three certificates two of which are Let’s Encrypt, and one of those is the Default certificate. I can ping www.fqdn.com:
$ ping www.fqdn.com
PING www.fqdn.com (11.22.15.72): 56 data bytes
64 bytes from 11.22.15.72: icmp_seq=0 ttl=64 time=0.077 ms
From the pbx, “www.fqdn.com” must resolve to the internal IP of the pbx. .
During the self test, certificate manager tries to download a locally hosted file using the fqdn. The separate self test was added because the actual Lescript.php library does the same and would fail even more cryptically.
The fact it’s hitting an nginx server makes me think the fqdn resolves to another internal address or possibly the pfsense external IP and the temp rule is clashing with another rule that has nat loopback enabled.
@dicko I’m using a stock FreePBX 15 and haven’t modified the web server. So I presume nginx is the Certificate Manager module in the FreePBX GUI, not apache2.
I have to admit to being clueless with certificates in FreePBX and pfSense. In the Certificate Manager module in the FreePBX GUI, it states:
Let’s Encrypt certificate creation and validation requires unrestricted inbound http access on port 80 to the Let’s Encrypt token directories
If security is managed by the PBX Firewall module, this process should be automatic. Alternate security methods and external firewalls will require manual configuration.
In pfSense I have installed ACME (i.e., automated cert management environment for automated use of LE certs). Is ACME conflicting with the certificate management in FreePBX? If so, is there a way to temporarily disable ACME in pfSense without un-installing it so the certificates in FreePBX can be updated?
If your acme client is working, just copy the *.crt and *.key (rename if needed) into /etc/asterisk/keys hopefully with a client post hook then import/updateall/setdefault either in the gui or using fwconsole. Make sure your webserver is referencing these certs
That way you are not unnecessarily opening up your firewall or worrying about the FreePBX acme client.
** Does DNS name resolution for www.fqdn.com resolve correctly?
Local DNS result: 11.22.15.72, External DNS result: 11.22.15.72
** Does DNS name resolution for www.anotherfqdn.com resolve correctly?
Local DNS result: 11.22.15.72, External DNS result: 11.22.15.72
Certificate named “default” is going to expire in less than a month. Please update this certificate in Certificate Manager
There was an error updating certificate “www.fqdn.com”: Self test error: Pest_NotFound - 404 Not Found
404 Not Found
nginx
There was an error updating certificate “www.anotherfqdn.com”: Self test error: Pest_NotFound - 404 Not Found
not sure how pfSense acme client works but the crt might well be called .ert or .pem it is likely in the same directory as ./tmp/acme/pfblockng/www.fqdn.com/www.fqdn.com.key and not the root cert
There must be other people running FreePBX with pfSense with ACME installed. Do they have to go through this just to update a certificate? Sorry to whine, but am I missing something or is this process overly convoluted? Is there no other way?
ACME is the protocol, correctly you should be using acme client most acme clients set up a cron job or a systemd timer to automatically renew certs FreePBX will automatically check for expred certs in /etc/asterisk/keys if your cron job updates your FPBX cert files in a timely fashion you are all done
Cron Entry
A checkbox which enables the ACME renewal cron job. When set, the ACME package will check all certificates each night and if any are up for renewal, it will attempt to renew them.
Write Certificates
When set, the ACME package will write the certificate files out in `/conf/acme` . From there, other scripts or processes which do not support GUI integration can pick up the certificate.
@dicko Thanks.
In Services==>Acme==>Settings in the pfSense GUI, I have the Cron Entry enabled, but not the Write Certificates. I will enable Write Certificates.
At the moment, with Write Certificates enabled, the /conf/acme directory is empty. The blurb next to Cron Entry inServices==>Acme==>Settings==>General Settings says:
Enable Acme client renewal job. This will configure cron to renew certificates once a day at 3:16. Keeping track of the last successful renewal and the number of days set after to renew again. When renewal happens a service can be restarted or a shell script run to load the new certificate for services that need it, if needed this needs to be configured as a action under the certificate settings.
I’ll wait until tomorrow (i.e., after 3:16am) and check if anything in /conf/acme has changed. [It’s pretty obvious that I don’t know WTF I’m doing here…]
If that doesn’t happen, there is a 5/week rate limit on ssuances/renew per domain, so it would be safe to delete what you have and start over. Then set up the ‘action list’ to push the key and cert to /etc/asterisk/keys on your FreePBX.
If DNS and firewall forwarding/loopback are properly configured, it should “just work.”
If your sharing a single external IP and need multiple services listening on a single port, it’s on you to have proper a proxy/forward setup. It’s not a beginner config, but shouldn’t be overly difficult either.
If the pfsense acme client listening on port 80 is the root of your problem, remove the conflict. Setup the pfsense acme client to use tls-alpn auth(port 443) or dns-01auth (no port needed) and keep port 80 forwarded exclusively to the PBX.
For now, you have to make the clients play nice together when sharing a single IP.
As long as both clients use http-01 auth, managing port 80 will be an issue. Changing the pfsense auth method should be an easy workaround.
The “self test” issue is a problem with the current acme library used by FreePBX. If/when the FreePBX backend is ported to acme.sh, that specific problem should go away, but “sharing” port 80 will remain an issue.
If the FreePBX backend is migrated to acme.sh, dns-01 auth (no port needed) will be an option for FreePBX. I doubt tls-alpn auth (port 443) will be a FreePBX option. No reason tls-alpn couldn’t be made available, but it really needs SysAdmin(closed source) changes for the distro.
On that line, pfSense has grown up a lot since I last used it, I see they have an HAProxy package if you need/want multiple sites behind your Router and all of them to ‘play nice’
If you do that, you can do all the certs for all the sites on the pfSense box rewriting 80 to 443 (or anything else) on the front-ends and just forward to your various relevant backends without TLS being needed. ( Add strict SNI and you are pretty rock solid)