Lets encrypt not auto updating for websocket server

artfulhacker · August 17, 2016, 5:51am

the certificate for the websocket server expired 2 days ago, however the one for accessing the admin pages expires in 3 months. so it appears the lets encrypt certificate is auto updating just fine for the admin apache server but whatever asterisk is using for the websocket server doesn’t appear to autoupdate

has anyone else noticed this?

tm1000 · August 17, 2016, 6:11am

Need some clarification here. What websocket server are you talking about? There’s an Asterisk one, a UCP one, a ZULU one.

xrobau · August 17, 2016, 6:11am

A screenshot of the error would be handy, so we can figure out what you’re referring to.

artfulhacker · August 17, 2016, 6:13am

the one used for webrtc, wss://server:8089/ws

tm1000 · August 17, 2016, 6:14am

Sorry but I can’t see how restarting Asterisk (automatically randomly when the certificate expires and is renewed) would be a good idea in any regard. That’s the only way you’d get Asterisk to understand the new certificate.

artfulhacker · August 17, 2016, 6:17am

i restarted it, and the server. for whatever reason the server running at 8089 is using the original lets encrypt cert but it has since updated and the admin pages are using the correct one

tm1000 · August 17, 2016, 6:18am

So look at the settings and see if the certificate in the path has expired. Is said certificate the default? Is it checked as the default?

Really REALLY need way more debug here. Kind of shooting in the dark at a pin.

artfulhacker · August 17, 2016, 6:18am

ahhh, got it. in the advanced settings, the path for https crt and key was: /etc/asterisk/keys/integration/webserver.crt and /etc/asterisk/keys/integration/webserver.key but those cert files are older

tm1000 · August 17, 2016, 6:19am

Ok. Those should be updating. But only if the certificate was marked as a default

artfulhacker · August 17, 2016, 6:19am

yup, I just noticed. seems the one directory back is where the certs are being updated. any idea why copies of them would be moved to that path?

tm1000 · August 17, 2016, 6:19am

Because that is how it works. Did you mark the certificate as default?

artfulhacker · August 17, 2016, 6:21am

those files show an update of May 17th (/etc/asterisk/keys/integration/webserver.key) but in /etc/asterisk/keys/ there are crts and key files updated as of today and are named the hostname.key and hostanme.crt

tm1000 · August 17, 2016, 6:21am

Did you mark the certificate as default?

artfulhacker · August 17, 2016, 6:21am

yes it is default

tm1000 · August 17, 2016, 6:22am

Run fwconsole certificates updateall

Do those certificate change?

And yes I fully understand how the directory structure is setup. There are reasons it is done this way.

artfulhacker · August 17, 2016, 6:22am

yes and it is the only one

artfulhacker · August 17, 2016, 6:23am

ok ill run that, should I change advanced settings back to “/etc/asterisk/keys/integration/webserver.key” as well?

artfulhacker · August 17, 2016, 6:24am

Certificate named “[MYHOSTNAME]” is valid

tm1000 · August 17, 2016, 6:24am

Yes. You should.

tm1000 · August 17, 2016, 6:25am

Perhaps it’s just late but I asked “Do those certificates change?”