My LetsEncrypt cert tried to update last night and sent me this error
Some Certificates are expiring or have expired:
There was an error updating certificate "pbx.xxxxxx.com": Error
- Failed connect to pbx.xxxxxx.com:80; Connection timed out' when
I am using System Admin version 126.96.36.199, which includes the LetsEncrypt port 80 setting. I also have port 80 forwarded in my router.
I attempted to disable the LetsEncrypt port in System Admin and change my UCP and my admin port to 80 (at separate times) but when the page reloaded no changes were made.
I have my firewall correctly set up as well, according to the certificate management page.
I disabled my firewall and successfully updated my cert. But I’d like to find the root cause. According to my system, I have my firewall rules set up correctly.
LetsEncrypt requires the following hosts to be permitted for inbound http access:
outbound1.letsencrypt.org, outbound2.letsencrypt.org, mirror1.freepbx.org, mirror2.freepbx.org
These entries are correctly set up in the Firewall module. However, it's possible that other external firewalls may block access. If you are having problems validating your certificate, this could be the issue.
The way I understand it - the Integrated Firewall knows about the cert sites and should allow them in. You can “belt and suspender” that by adding those four sites to the Sysadmin whiltelkist and to the firewall.
Your PBX is non-routable, so your external firewall should (correctly) block SYN Access to port 80, or at least answer on port 80 that you aren’t authorized to access the network. That would be a common and “best practice” method. Remember, the cert request isn’t coming from port 80 (IIRC), so NAT will not have opened to that port from the cert host.
Moving the PBX to your DMZ is dangerous, because it exposes the system to more scrutiny. Leaving it in the secure enclave would be my recommendation. Open the ports from certain hosts to certain port (In this case, the four cert hosts, port 80) and redirect those bi-directionally to port 80 on the PBX. Then, in the integrated firewall, you can just list the hosts in the Trusted Zone, knowing that the only SYN traffic coming to your PBX from there will be port 80 stuff.
I’m not sure why turning the firewall off on the PBX would have made any difference. From what we understand, it shouldn’t have.
I’ve added the LetsEncrypt addresses to my systemadmin whitelist to be safe. Below are the addresses I have trusted in my firewall. I assume these are accurate, correct? Being that disabling the firewall allowed the cert to renew tells me that the issue is in my firewall settings, correct?
I too use LetsEncrypt (LE) to provide trusted connections, however my test environment located at my home office has port 80 blocked by the ISP, although for extra $$ I could get that removed.
LE has has another option of renewing the certificate, which is to edit the DNS record with some text to prove you are making a legitimate request. Thus, if you have access to your domain records, and can make a quick edit, you could use this second method to renew your certs.
Personally, I would drop the firewall on renewal day, renew the cert, and then bring them back up. I also wish that LE would relax the tight window, and let the certs live for 6 months or a year at a crack.
I myself have done the same thing. When I get the alert advising it could not renew, I disable the FreePBX firewall, run the cert renewal via the FreePBX portal and then enable the firewall afterwards.
Seems like there is a bug in the Certificate Management in setting up the firewall to permit the LetsEncrypt renewals.
Is this something new? There are over a dozen systems I manage that every 3 months I am disabling firewall inside freepbx and then running the certificate manager update on the letsencrypt cert so it would update properly.
Each time I take the opportunity to also update the modules before doing this to see if a module update would correct this to no avail.
Chiming in here - I just got a new Sangoma PBX with the latest firmware. I have the Lets Encrypt Port set to port 80, have my firewall port forwarding correctly (I am able to connect to it externally from whitelisted IPs found on both my firewall and the PBX firewall), had the firewall entries for Let’s Encrypt and could not get the certificate to work without disabling my firewall on the PBX first.
The issue most likely with the firewall rules on the PBX for Lets Encrypt, the ones provided might not be sufficient here? How are DNS entries validated against requests incoming from various IPs? Are reverse DNS calls made to see if an IP resolves to a whitelisted entry? Let’s Encrypt documentation says their validation requests can come from a variety of IPs and there’s no set list to “whitelist”. Do we know if Let’s Encrypt even guarantees there will be a hostname tied to the requests/IPs they send? From what I’m reading, Let’s Encrypt does not recommend trying to do any sort of whitelist when using http challenges and to switch to dns challenges instead if this isn’t feasible.