Letsencrypt certificate renewal caused phone outage

freepbx
letsencrypt
Tags: #<Tag:0x00007fb47bbe56b8> #<Tag:0x00007fb47bbe54b0>

(United States) #1

Hi everyone! I was wondering if anyone had experienced what I have and am hoping for maybe extra information into what direction I can go or even what logs I can possibly read.
So last night around 5am my Freepbx server did its letsencrypt certificate renewal. It updated the certificate fine but all phones became unregistered with the server and could not re-register. I woke up to this message on the dash board.
“Some SSL/TLS Certificates have been automatically updated. You may need to ensure all services have the correctly update certificate by restarting PBX services”
So I did the needful and issued a asterisk restart. Phones were able to register and problem solved. What I want to know is why it happened and I can’t seem to find a place for any logs or where to dig. Is this just a normal thing that can happen from time to time with updating a lets encrypt certificate? It has updated itself before and everything went fine. If I needed to script a asterisk restart within the workflow of the certificate update, that’s fine. I am just hoping to find an explanation. :man_shrugging:
Thank you for any help! :slight_smile:


(Jared Busch) #2

First, you likely did not have to restart anything. That is a warning and not an error.

Second, as for your problem, it likely broke the firewall when it self updated. See the numerous threads here about fail2ban and firewall issues.


(United States) #3

So what I don’t get though is fail2ban and the firewall are separate from Asterisk right? Why would a “core restart now” fix the problem? I didn’t restart any other services just asterisk.


#4

You are correct “core restart” will not restart any other services that FreePBX might depend on.

perhaps fwconsole restart ?

In the FreePBX ecosystem, Asterisk is not started as a service, so if you have a systemd asterisk.service you should disable it.


(United States) #5

Well this is good and all, but I am just wondering what may have caused it. As fixing it was an asterisk restart, not a change on fail2ban or the firewall.