New Versions of Certman and Firewall in Edge


(Lorne Gaetz) #1

As of a few hours ago @kgupta1 has published the following module versions to the edge repo:

Certman v13.0.48 , 14.0.17 and 15.0.33
Firewall v13.0.60.14, 15.0.6.29

These versions have the most recent contributions from @jerrm for improving the firewall hook during Let’s Encrypt cert renewal. We’ve done testing interanally, and not seeing any issues, but it’s in need of wider testing. Any FreePBX admin who wants to give things a try can upgrade using:

 fwconsole ma upgrade certman firewall --edge

LE certs will only renew if they are nearing expiry. For testing purposes, yYou can force an LE cert renewal regardless of when it expires with the command:

fwconsole certificates --updateall --force

Doing a force renewal multiple times in succession, will get your ip banned temporarily by Let’s Encrypt.


#2

@lgaetz, there is a second PR under this ticket that needs review before pushing this to stable. It removes the hard coded port 80 for LetsEncrypt and allows disabling all automatic rules.

A decision against the approach may have been made (which is fine), but better to avoid additional gyrations of how fwconsole firewall lerules enable|disable functions if there’s a possibility of adoption.

To everyone else, please test the current edge as @lgaetz requests. There is nothing wrong with the edge modules. It is hopefully a better/more stable implementation of the current functionality.


(Lorne Gaetz) #3

Thanks J. That ticket is on my radar now.


#4

The ban shouldn’t be anything from the IP, just additional renewal requests for a specific cert. If the cert updated/renewed it will remain fully functional, but you won’t be able to --force another renewal for the over-renewed cert for a few days. You should still be able to request new certs for different fqdns…


(Lorne Gaetz) #5

I’ve left out important details from the post above.

The above firewall module versions require ipset. On FreePBX Distro version 12+, this is installed by default, but ver. 10.13. it needs to be installed:

# fwconsole ma install firewall
Latest firewall module is depends on 'ipset' utility which is missing so please install this by either 'yum install ipset -y' for distro(centos) or equivalent package install command as per your OS and try again.
Generating CSS...Done
Module firewall successfully installed
Updating Hooks...Done

# yum install ipset -y
Loaded plugins: downloadonly, fastestmirror, kmod, security
Setting up Install Process
*snip*
Installed:
  ipset.x86_64 0:6.11-3.el6

Dependency Installed:
  libmnl.x86_64 0:1.0.2-3.el6

Complete!

There was an error updating the certificate: Please install ipset package
(Lorne Gaetz) closed #6

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.