Locked Out of Admin Web Page

from the ‘locked out’ machine

curl -vv https://theurl.onyour.certificate.com:nnn

where nnn is the port your service is running on should give you a clue.

if the ‘resolver’ for that machine is the pfsense device then it needs to correctly identify

dig @pfsense A theurl.onyour.certificate.com

to your service to let the connection proceed if given a valid cert and key

if you are proxying https through haproxy with strict sni, as previously discussed then let haproxy provide the tls certifications for all proxied services and know that connections to the IP on any port will be curtly dropped, only the url will work (which must be properly set internally)

from the internet , your port 80 replies

curl -s http://nollivoipserver.nollicomm.net/|html2text                                                                                 ****** nollivoipserver.nollicomm.net ******             ***** This Domain is Under Construction *****
Please Check Back Later
[Powered_by_Misk.com]

same goes for phones.nollicomm.net

neither are a FPBX machine.

of record

and

https://crt.sh/?id=6197287585

I wouldn’t recommend the use of wildcard certs for TLS transport for voip in general and specifically, using a wildcard cert with haproxy kinda defeats the purpose of ‘strict SNI’ protection.

Well, Dicko, you seem unto something and I have to say it’s flying over my head. When I do an openssl s_client -connect nollivoipserver.nollicomm.net:443, I get:

verify error:num=21:unable to verify the first certificate

Not sure how to address this error…I am searching as I type.

Basically you need proper DNS routing and cert management

dig A nollivoipserver.nollicomm.net 

; <<>> DiG 9.16.22-Debian <<>> A nollivoipserver.nollicomm.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40657
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;nollivoipserver.nollicomm.net. IN      A

;; ANSWER SECTION:
nollivoipserver.nollicomm.net. 300 IN   A       34.203.101.184

;; Query time: 31 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Mon Feb 21 18:19:04 PST 2022
;; MSG SIZE  rcvd: 74

whois -h whois.cymru.com ' -v -f 34.203.101.184'
14618   | 34.203.101.184   | 34.192.0.0/12       | US | arin     | 2016-09-12 | AMAZON-AES, US

The internet nor your intranet cannot be convinced that your server is a FreePBX box behind a pfsense box because it is not seen that way, it resolves to a place holder at Amazon

https to your main domain is being proxied by cloudflare so https://nollicomm.net is certified and secured with SNI , http://nollivoipserver.nollicomm.net will respond but insecurely, https://nollivoipserver.nollicomm.net will not, let’s compare and contrast the chain returned (or not) between

openssl s_client -showcerts -connect nollivoipserver.nollicomm.net:443

and

openssl s_client -showcerts -connect nollicomm.net:443

Whatever is serving certs at nollivoipserver.nollicomm.net:443 is not doing so, it would need to agree on an exchange of info with cloudflare using your full and proper domain name against your cloudflare wildcard *nollicomm.net cert to do so

I think I understand what you’re saying but is highly confused on how to go about how to make the exchange of info with Cloudflare agree. I have been doing DNS query all day and have been getting the same as the A record which I purposely tied so as to not have the very problems I am having…not wanting nollivoipserver.nollicomm.net resolves. Just dealing the Cloudflare was a headache.

I thought the reason for the “verify error:num=21:unable to verify the first certificate” is that I needed to include the CA into FreePBX but could not find where to do that. And, just for the hell of it, I ran:

[root@nollivoipserver ~]# openssl s_client -connect nollicomm.net:443
CONNECTED(00000003)
140190362650512:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:769:

no peer certificate available

No client certificate CA names sent

SSL handshake has read 7 bytes and written 289 bytes

New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1645498025
Timeout : 300 (sec)
Verify return code: 0 (ok)

I would need to buy their hosting package and that is defeating the original intent of the FreePBX plan…that’s the only way to edit the A record or a Cname. They had said this when I asked about the DNS-NSupdate. So, I thought at Cloudflare, where it seems that it imported the TXT file, I was actually adding to it

I outlined my basically quite simple personal solution more than once which WFM , with your alternate pfsense, internally certifying sites, haproxy (or not) and cloudflare’s SNI , ‘no public access’ rat’s nested non-solution is obviously widely divergent with my thinking, I can but say 'Vaya con Dios", maybe wait for the the guys at pfsense ?

but feel free to check back later after fixing

curl -s http://nollivoipserver.nollicomm.net/|html2text

****** nollivoipserver.nollicomm.net ******
***** This Domain is Under Construction *****
Please Check Back Later
[Powered_by_Misk.com]

Based on what you’re saying about the certificate, wouldn’t I face the same exact had I got the certificate via FreePBX? I need to get a hosting package from Misk…just registering the domain won’t complete the plan.

FreePBX does not issue certificates and cannot do so, but IMHO the acme client that is embedded to do that is largely broken and badly needs replacing.

So I only speak to another way of doing something which can be quite trivial, in this case I was wrong, good luck though.

So, are you saying had I installed and used Neil’s method (Github) I would not have had the certificate issue?

Given a smidgen of linux knowledge then that would first be a “what certificate issues did you experience when deploying it” other wise "yes but please RTFGHM (all of it to get the most out of it ) "

Actually, I have no clue…this all new to me as I am a Mac person and rarely use CLI. I am somewhat familiar with Linux, having a Mikrotik router but far from being an expert. So, I bookmarked Neil’s page and will reevaluate all this over a two weeks period to engage whether this all worth the time. I need to catch up on other projects.

Chalk and cheese, Mikrotik isn’t Linux it is RouterOS, which at an ssh login would look much like any MacOS console login ( which is based on OpenBSD) all the above do have a common heritage in UNIX though.

Well, I found the problem and it was my fault. I forgot to paste the CA into FreePBX, sending me on a wild goose chase diagnosing while other work projects got neglected; so a few days until fix.

Well, it’s working now, resolving locally…pfSense is the boss!