LetsEncrypt Cert Expired - Didnt Update

defcomllc · January 19, 2023, 2:46pm

Our main office Fully licensed FreePBX deployment’s LE cert is expired I just noticed, didnt update. I tried manually updating it and it wont… Expired 1/15/23…

Now before we get into all the did you open 80 and all, yes its full port forwarded and this deployment has been running for years without ever having an issue with LE updating and renew the cert. I just checked another deployment at a client, their LE cert expires 1/27/23 and trying to manually update it also isnt working… So something is going on…

I ran updating from CLI fwconsole certificates --updateall from the console and I get the following error:

There was an error updating certificate “voip.XXXXXX.com”: Curl: TCP connection reset by peer

Why is LE cert renewal all of a sudden not working?? Suggestions…

I ran the cert update command from the console 4 times. It FINALLY updated sucessfully on the 4th try. There is no issue with LE reaching out on port 80… I can see it reaching out on port 80 without issue each time I run the update command in Sessions on my Arista ETM firewall, which I have 80 forwarded to my interntal PBX Static IP like its been for years without ever having my LE cert expire…

PBX Version: 16.0.30
PBX Distro: 12.7.8-2208-2.sng7
Asterisk Version: 16.29.1

ozarktech · January 19, 2023, 3:04pm

I ran into this on several deployments. Not sure what is going on. I was able to just delete the cert the create a new one and it worked.

leo85 · January 19, 2023, 6:58pm

I’m about to plunge into Let’s Encrypt with my own v15, and wondering if this is only v16 issue?
Can anyone confirm this is isolated issue of v16?

defcomllc · January 19, 2023, 7:00pm

I can confirm issue also on v15 client deployments as well. Its not expired, but hasnt renewed and clicking Update Certificate is not doing anything on fully updated v15 deployment… Expires 1/27/23…

leo85 · January 19, 2023, 7:07pm

Bummer, thanks for confirming this.

jlizzotte04 · January 19, 2023, 7:27pm

I have found that sometimes I have to run

“fwconsole cert --updateall --force” on putty on the PBX and it works fine.

defcomllc · January 19, 2023, 7:31pm

I had to run that 4-5x to get it to updated today after seeing my LE cert expired on 1-15-23… That doesnt resolve my questions/concerns as to why LE cert is no longer auto updating anymore???

dobrosavljevic · January 20, 2023, 4:14am

Can confirm that non renewing certificates happened on several of our deployments in the last month or so. In one instance it even broke our Advanced Recovery module that was using https to check on server status (since has been switched to http to avoid this issue in the future).

However, in our case running fwconsole cert --updateall worked on the first try on each and every system without any errors.

We were going to keep an eye on it and see if it continues to be a problem on these systems when the next automatic renewal comes around.

dicko · January 20, 2023, 4:21am

Many agree that the acme client bundled with the ‘distro’ is woefully outdated and inadequate. Until it is replaced don’t expect too much.

leo85 · January 20, 2023, 5:38pm

Oh well good news when I decided to use real cert in my PBX, I hear this

eNetKC · January 31, 2023, 2:39am

Another bump for the let’s encrypt module that would not update. My le cert expired yesterday and would not renew. “fwconsole cert --updateall -force” renewed it from the ssh command line on the first try.

system · March 3, 2023, 2:40am

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.