Lets encrypt not auto updating for websocket server

(Mike Olsen) #1

the certificate for the websocket server expired 2 days ago, however the one for accessing the admin pages expires in 3 months. so it appears the lets encrypt certificate is auto updating just fine for the admin apache server but whatever asterisk is using for the websocket server doesn’t appear to autoupdate

has anyone else noticed this?

(Andrew Nagy) #2

Need some clarification here. What websocket server are you talking about? There’s an Asterisk one, a UCP one, a ZULU one.

(Rob Thomas) #3

A screenshot of the error would be handy, so we can figure out what you’re referring to.

(Mike Olsen) #4

the one used for webrtc, wss://server:8089/ws

(Andrew Nagy) #5

Sorry but I can’t see how restarting Asterisk (automatically randomly when the certificate expires and is renewed) would be a good idea in any regard. That’s the only way you’d get Asterisk to understand the new certificate.

(Mike Olsen) #6

i restarted it, and the server. for whatever reason the server running at 8089 is using the original lets encrypt cert but it has since updated and the admin pages are using the correct one

(Andrew Nagy) #7

So look at the settings and see if the certificate in the path has expired. Is said certificate the default? Is it checked as the default?

Really REALLY need way more debug here. Kind of shooting in the dark at a pin.

(Mike Olsen) #8

ahhh, got it. in the advanced settings, the path for https crt and key was: /etc/asterisk/keys/integration/webserver.crt and /etc/asterisk/keys/integration/webserver.key but those cert files are older

(Andrew Nagy) #9

Ok. Those should be updating. But only if the certificate was marked as a default

(Mike Olsen) #10

yup, I just noticed. seems the one directory back is where the certs are being updated. any idea why copies of them would be moved to that path?

(Andrew Nagy) #11

Because that is how it works. Did you mark the certificate as default?

(Mike Olsen) #12

those files show an update of May 17th (/etc/asterisk/keys/integration/webserver.key) but in /etc/asterisk/keys/ there are crts and key files updated as of today and are named the hostname.key and hostanme.crt

(Andrew Nagy) #13

Did you mark the certificate as default?

(Mike Olsen) #14

yes it is default

(Andrew Nagy) #15

Run fwconsole certificates updateall

Do those certificate change?

And yes I fully understand how the directory structure is setup. There are reasons it is done this way.

(Mike Olsen) #16

yes and it is the only one

(Mike Olsen) #17

ok ill run that, should I change advanced settings back to “/etc/asterisk/keys/integration/webserver.key” as well?

(Mike Olsen) #18

Certificate named “[MYHOSTNAME]” is valid

(Andrew Nagy) #19

Yes. You should.

(Andrew Nagy) #20

Perhaps it’s just late but I asked “Do those certificates change?”