Let’s encrypt is a Certificate Authority that provides SSL/TLS certificates to 260 million websites. On Oct 1st, an older root CA used by Let’s encrypt is expiring and will no longer validate websites signed by Let’s encrypt.
SNG7, the most current FreePBX distro, ships with the impacted older Let’s encrypt root CA cert, so on Oct 1st, web requests that are accessed internally from FreePBX that use Let’s encrypt to sign their SSL/TLS certificate will quit working due to certificate errors.
So what does this mean? Well for most people, it doesn’t mean anything. FreePBX should still be up and continue to function properly, however, if you use Let’s encrypt to sign the SSL/TLS certificate on your FreePBX instance, the mechanism that keeps the certificate automatically up-to-date will stop functioning and eventually the certificate that is used to secure your FreePBX instance will expire. It should ALSO be a concern if FreePBX is acting as a client that is connecting to some other server that uses a Let’s encrypt cert. Possible servers could include but not limited to HTTPS, FTP, mail, or potentially an ITSP using a Let’s encrypt certificate.
That being said, to minimize any possible disruption, we are recommending that everyone patch their system to prepare for this event. To fix this issue, we have released patches to the certman module to fix that problem by removing the old Let’s encrypt root CA. We currently recommend that you update the certman module to one of the following:
Certman v14.0.19
Certman v15.0.47
Certman v16.0.17
The issue can ALSO be fixed via SNG7 by updating to the latest version of ca-certificates via yum:
yum update ca-certificates
Alternatively, the issue can be fixed on SNG7 or CentOS7 by manually running the following commands from the CLI:
sudo trust dump --filter "pkcs11:id=%c4%a7%b1%a4%7b%2c%71%fa%db%e1%4b%90%75%ff%c4%15%60%85%89%10" | openssl x509 | sudo tee /etc/pki/ca-trust/source/blacklist/DST-Root-CA-X3.pem
sudo update-ca-trust extract
How to test if your system is affected:
Run the test against one of Let’s encrypt’s services:
wget https://acme-staging-v02.api.letsencrypt.org/directory -O-
A Failed Response will look like this:
–2021-10-01 00:00:00-- https://acme-staging-v02.api.letsencrypt.org/directory
Resolving acme-staging-v02.api.letsencrypt.org (acme-staging-v02.api.letsencrypt.org)… 172.65.46.172, 2606:4700:60:0:f41b:d4fe:4325:6026
Connecting to acme-staging-v02.api.letsencrypt.org (acme-staging-v02.api.letsencrypt.org)|172.65.46.172|:443… connected.
ERROR: cannot verify acme-staging-v02.api.letsencrypt.org’s certificate, issued by ‘/C=US/O=Let’s Encrypt/CN=R3’:
Issued certificate has expired.
To connect to acme-staging-v02.api.letsencrypt.org insecurely, use `–no-check-certificate’.
A Successful Response will look like this:
--2021-10-01 00:00:00-- https://acme-staging-v02.api.letsencrypt.org/directory Resolving acme-staging-v02.api.letsencrypt.org (acme-staging-v02.api.letsencrypt.org)... 172.65.46.172, 2606:4700:60:0:f41b:d4fe:4325:6026 Connecting to acme-staging-v02.api.letsencrypt.org (acme-staging-v02.api.letsencrypt.org)|172.65.46.172|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 724 [application/json] Saving to: 'STDOUT' 0% [ ] 0 --.-K/s { "keyChange": "https://acme-staging-v02.api.letsencrypt.org/acme/key-change", "meta": { "caaIdentities": [ "letsencrypt.org" ], "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf", "website": "https://letsencrypt.org/docs/staging-environment/" }, "newAccount": "https://acme-staging-v02.api.letsencrypt.org/acme/new-acct", "newNonce": "https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce", "newOrder": "https://acme-staging-v02.api.letsencrypt.org/acme/new-order", "revokeCert": "https://acme-staging-v02.api.letsencrypt.org/acme/revoke-cert", "xK2Vc0EsDik": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417" 100%[========================================================================================>] 724 --.-K/s in 0s 2021-10-01 00:00:00 (37.9 MB/s) - written to stdout [724/724]
Notes on FreePBX 13 and below
We currently have no plans on patching FreePBX 13 and below, so on Oct 1st, 2021 the Let’s encrypt hooks inside of FreePBX will stop functioning properly. We recommend that anyone running FreePBX 13 upgrade to FreePBX 15 and above.