Letsencrypt cert stopped working

gordon · July 17, 2023, 4:44pm

My PBX letsencrypt has stopped working and I cannot log into dashboard via UI because of the expired cert.

It has been working fine for years.

I have added a text file name “ping” that contains “pong” under the .well-known and .freepbx-known folders such that the following two curl commands return “pong”.

curl http://REDACTED/.well-known/acme-challenge/ping

curl http://REDACTED/.freepbx-known/ping

I have disabled the firewall to ensure the request isn’t being blocked.

I have tested this using the local network and over the internet.

Here is cli showing a 503 error but it is not clear who the 503 comes from. Can anyone point me in the direction to go?

$ sudo fwconsole certificates --updateall
[sudo] password for myusername:
Processing: redacted.example.com, Local IP: 127.0.0.1, Public IP: 1.2.3.4
Self test: trying http://redacted.example.com/.freepbx-known/d6cb0a9dbd3606bb8cf6c3460070d456
Self test: received d6cb0a9dbd3606bb8cf6c3460070d456
Requested 'http://redacted.example.com//.freepbx-known/d6cb0a9dbd3606bb8cf6c3460070d456' -
Service Unavailable

Service Unavailable
HTTP Error 503. The service is unavailable.


Getting list of URLs for API
Requesting new nonce for client communication
Account already registered. Continuing.
Sending registration to letsencrypt server
Sending signed request to https://acme-v02.api.letsencrypt.org/acme/new-acct
Account: https://acme-v02.api.letsencrypt.org/acme/acct/REDACTED
Starting certificate generation process for domains
Requesting challenge for redacted.example.com
Sending signed request to https://acme-v02.api.letsencrypt.org/acme/new-order
Sending signed request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/REDACTED
Got challenge token for redacted.example.com
Token for redacted.example.com saved at /var/www/html/.well-known/acme-challenge/y0M60O6siZmyPB4ISQVf2vQhL2BCYlStHi4vhlRIwTk and should be available at http://redacted.example.com/.well-known/acme-challenge/y0M60O6siZmyPB4ISQVf2vQhL2BCYlStHi4vhlRIwTk
Sending request to challenge
Sending signed request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/REDACTED/J2sZww
Verification pending, sleeping 1s
Sending signed request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/REDACTED/J2sZww

   ** Requested 'http://redacted.example.com//.freepbx-known/d6cb0a9dbd3606bb8cf6c3460070d456' -
      Service Unavailable

      Service Unavailable
      HTTP Error 503. The service is unavailable.



   ** The PBXact Firewall is not enabled.

   ** The LetsEncrypt servers only send challenge queries to port 80. Certificate requests will fail if public access via port 80 is not available.

There was an error updating certificate "redacted.example.com": Unable to update challenge :: authorization must be pending

dobrosavljevic · July 17, 2023, 4:51pm

Your GUI access should work even with an expired cert. I think there must be something wrong with your web server on that unit for it not to be accepting any connections as the verification step for the cert is failing as well, it’s unable to connect to port 80 either for whatever reason.

Verify that the web server on your PBX is working correctly.

gordon · July 17, 2023, 5:06pm

I demonstrated that the curl commands work onsite and offsite. Which line shows you that the port 80 access isn’t working - that will help me track it down?

The pbx portal pulls up. But my chrome browser won’t allow me to ignore the expired certificate for the whole browsing session so I can’t authenticate to access settings

gordon · July 17, 2023, 5:10pm

I was able to use Mozilla to get into the dashboard. Are you interested in seeing anything in particular? Thanks!

gordon · July 17, 2023, 5:23pm

No module or system updates are available

dobrosavljevic · July 17, 2023, 5:26pm

I made an assumption based on the fact that Let’s Encrypt says it’s unable to connect to the PBX as well as your statement that you weren’t able to connect to HTTPs. I didn’t realize that Chrome started blocking access to sites with expired certificates. I was going to suggest using a different browser but I see you already did that.

Does redacted.example.com (whatever your external fqdn is on the PBX/certificate) resolve to the correct external IP for your PBX still?

gordon · July 17, 2023, 5:29pm

Yes. I confirmed this using the local network. And then disconnected and connected to a Comcast hotspot and confirmed the IP matched. And now I have also confirmed offsite.

dobrosavljevic · July 17, 2023, 5:38pm

And curl to port 80 from the external network works just fine? If so, maybe time to try and recreate the cert request in the PBX?

system · August 17, 2023, 5:38pm

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.