LetsEncrypt cert failure to renew on system after several years working

Just discovered a system this AM that has been running fine for years suddenly stopped updating its LetsEncrypt cert. All we’ve done to it is install system and module updates as available. Over an hour of troubleshooting to resolve. Add this to the list of systems where some update broke the cert update process somewhere/how.

Call support? LOL
Open a bug report? Not gonna spin those wheels.

And what was the resolution?

1 Like

I find the automatic renewal of Let’s Encrypt Certs happens about 70% of the time - We just had to institute a scheduled automatic check of the systems every 60 Days - we only have about 40 now so it’s about 30 minutes every two months - a little annoying, but there seems to be no fix for the problem, and no predictable outcome - some systems stop - we renew the Cert - and then they go fine for a year or more and then fail again - some systems have to be done almost every time and since they are all (at this point) on Vultr, so they are coming from the same platform - weird. I would be thrilled if this was automated the way it was promised.

Yeah but may not be FreePBX, I have constant issues on a Plesk system and that uses DNS-01 which seems to fail the challenge even though the TXT record is 100% correct.

Yeah, I am 100% consistent about how they are set up - I use Cloudflare and Google for DNS, and yet it really is unpredictable - I just don’t know enough about how the service works - weird thing too is that if you let the Let’s Encrypt Cert expire, even though renew is an option, it NEVER works - I always have to delete the Cert, and then re-request the exact same cert and it works every time.

After digging around in logs and config files for hours, I found that the hostname had reverted to the default (sangoma-something-something). I changed it back in System Admin and then was able to generate a cert (I’d long since deleted the one that was there in an attempt to fix).

Again, this system has been running YEARS without this issue. Based on SangomaConnect also breaking with a module update last week, I suspect something similar with the cert/hostname.

It’s to the point that we are afraid any time we have to touch these systems; updates seem to break more than they fix. Pathetic.

Just out of curiosity, since v15 is Security Fixes Only at this point, when was the module update released? I can’t see any major or serious updates on v15 modules for the last 2 years. As far as the open source side goes.

Sounds like a different issue but in case this happens to anyone else, I’ve had some where a cron job disappears that then doesnt renew certs. The line is in /var/spool/cron/asterisk. The date can be whatever.

I can’t say when the cert update thing broke. This was slightly different in that on most other systems it’s the cron job that breaks first, then after a while even a manual update of the cert fails. In this case, both happened at the same time.

And yes, we did install several module updates last week, including SangomaConnect. But the cert thing must have happened a while back, since they last 60 days and the one on this system expired Jan 2.

We just need shit to work. I’m up to my eyeballs in basic software functionality that breaks because Company X decided the C Suite would look better this quarter if it spent no money on code QC, and then also no money on support. Microsoft, Sangoma, Google…all doing the same shitty thing.

Pulling the 15 module.xml from mirror.freepbx.org. Things updated in the last year in bold. This does not include commercial as it was a simple get of the mirror url without extra parameters

Module Date
accountcodepreserve 01/24/2018
allowlist 04/28/2023
amd 08/14/2020
announcement 01/21/2021
api 09/26/2023
arimanager 03/14/2023
asterisk-cli 01/19/2021
asteriskinfo 01/21/2021
backup 01/09/2024
blacklist 11/07/2022
bulkhandler 09/15/2022
calendar 02/07/2023
callback 01/18/2021
callforward 06/06/2024
callrecording 10/10/2024
callwaiting 07/26/2021
cdr 11/14/2024
cel 03/22/2024
certman 02/14/2022
cidlookup 03/06/2023
conferences 06/30/2021
configedit 11/25/2020
contactmanager 12/18/2023
core 08/29/2024
customappsreg 08/17/2020
customcontexts 06/24/2020
cxpanel 03/11/2020
dahdiconfig 05/19/2023
dashboard 10/05/2023
daynight 08/17/2020
dictate 08/17/2020
digiumaddoninstaller 11/25/2020
digium_phones 05/09/2022
directory 09/27/2023
disa 11/25/2020
donotdisturb 07/26/2021
dynroute 06/14/2022
extensionsettings 03/01/2016
fax 11/07/2021
featurecodeadmin 01/21/2021
filestore 10/27/2023
findmefollow 06/08/2023
firewall 10/11/2022
framework 09/30/2024
fw_langpacks 10/21/2016
hotelwakeup 02/09/2021
iaxsettings 11/25/2020
infoservices 08/19/2020
irc 09/26/2018
ivr 09/12/2022
languages 11/10/2022
logfiles 12/15/2021
manager 04/08/2024
miscapps 11/25/2020
miscdests 11/25/2020
music 11/25/2020
outroutemsg 09/10/2019
paging 06/05/2023
parking 11/25/2020
phonebook 08/20/2020
phpinfo 06/19/2015
pinsets 01/05/2021
pm2 02/28/2022
presencestate 03/01/2021
printextensions 11/25/2020
queueprio 12/04/2019
queues 11/17/2023
recordings 08/29/2023
restapi 11/14/2018
ringgroups 07/19/2022
setcid 08/19/2020
sipsettings 09/04/2022
sipstation 02/22/2024
sms 04/03/2023
soundlang 01/12/2021
superfecta 05/06/2024
timeconditions 10/06/2021
tts 09/16/2021
ttsengines 08/19/2020
ucp 03/15/2023
userman 12/09/2024
versionupgrade 10/25/2023
vmblast 09/09/2021
voicemail 11/14/2024
weakpasswords 12/03/2016
webrtc 12/03/2024
xmpp 09/16/2021

You didn’t answer my question. What was the date of the version release you installed? Did they release an update 2 months ago? Last week? Or did you just perform an update that was released a year ago?

I’m curious because none-commercial stuff has barely been touched in v15 since the end of 2023. It’s officially in a status that it should only receive security updates. Was this a security update?

I really didn’t review them all but the framework update was adding Google Analytics and that was the big update. As I said major or serious updates as the few I reviewed had very simple updates.

But thanks for this, I’m curious as to what other non-security updates were made for this.

I don’t know, Tom. It showed up as an available update so we installed it. This is what shows in the change log.
image
I guess we have to start logging every action we take with FreePBX…or just leave functioning systems alone.
Also, this link in Module Admin is 404.
image
At this point I feel like I’m pointlessly beating a dead horse. Code is broken, support is broken. Sangoma is tacit. I’m punching out and doing productive things.

I know you’re frustrated and upset about the current situation and I get it. We all are not happy about it. But I have tried numerous times to extend a helping hand to try and get your problems resolved but getting actionable information from you to work with has been a blood out of a stone story. So I’ll just let you be.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.