Trouble updating Let's Encrypt Certificate with non default ports


(John) #1

Currently using
http (80) and https (443) for UCP
81 for GUI Admin

HTTPS : 443 is currently the only exposed port through our external firewall.

I started getting a message on our dashboard that the certificate needed to be updated.

I launched cert. management and clicked on edit for my Let’s encrypt cert which was set as the default.

When I clicked on edit almost everything was already filled in from when I initially created the cert but the state field was empty.

So I entered our state, changed the challenge over to HTTPS and clicked update. After a long pause I got an error,
“There was an error updating the certificate: couldn’t connect to host”

Also my firewall log was showing several failures to port 80 (even though i had selected https for the challenge over)
For the heck of it i permitted http to pass through the firewall to the freepbx server
Set the state back to texas, changed the challenge over to HTTPS and hit update, this time after no delay I got the error
“There was an error updating the certificate: 403 Forbidden Forbidden You don’t have permission to access /.freepbx-known/0b1eb3b5932bdb5d197915b5eb15703e on this server. Apache/2.2.15 (CentOS) Server at voice.agrilife-dallas.center Port 80”

I repeated, entered the state, selected HTTP and then hit update but got the same error,
“There was an error updating the certificate: 403 Forbidden Forbidden You don’t have permission to access /.freepbx-known/865826b4bcfdef5888745fcecca7aa92 on this server. Apache/2.2.15 (CentOS) Server at voice.agrilife-dallas.center Port 80”

No failures/blocks are being noted on the hardware firewall.

Not sure what I might be doing wrong.


(Rob Thomas) #2

LetsEncrypt requires that port 80 and 443 be the ADMIN interface. There’s no way around that, sorry.

If you want to keep using LetsEncrypt, you’ll need to set 80 and 443 to be the admin port while you’re asking them for a certificate. You can put it back to UCP when you’re finished.


#3

I don’t mean to dig up old posts, but I am having this exact problem myself! I found another post somewhere that suggested to update to the edge module for cert manager, but currently there is no edge module available - I an running then latest version.

On my PBX, I am running all default ports and have a self signed cert installed for now. On my firewall I have allowed access from the sources required for Lets Encrypt etc…

I can help but feel I am missing something…


#4

I have found the problem, but it is something that is out of my control as its a auto generated file that is causing the problems.

I ended up having to modify /etc/httpd/conf.d/schmoozecom.conf and comment out the following line:

RewriteRule (^\.|/\.) - [F]

This was preventing apache from serving hidden folders. And for the LetsEncrypt service to generate its certs, FreePBX generates two hidden folders to serve files from during the generation/update process:

.freepbx-known
.well-known

Maybe these folders should be added to the exceptions list in this folder?


(Preston McNair) #5

Usually best to throw this type of thing in a ticket at issues.freepbx.org ,it will get to the dev team faster that way.


#6

Got the same problem and adjusting /etc/httpd/conf.d/schmoozecom.conf made no difference.


(Rob Thomas) #7

Yep, that’s a bug that slipped through QA. Sorry about that. It’s high on my list, so I’ll hopefully get to it early next week.


#8

Thanks @xrobau !

@pbx if you browse to http://<pbx ip>/.freepbx-known/<token value> in your browser do you get the 403 error?


(Rob Thomas) #9

Try Sysadmin 13.0.71.2, which is currently in ‘Edge’ mode - you can download it manually by switching your machine to egde, or just run ‘fwconsole --edge ma upgrade sysadmin’, which will get the new Sysadmin package.

Then all you need to do is go into Port management and click ‘Save’, which will generate a fixed httpd.conf!


403 error updating let's encrypt certificate
LetsEncrypt failing to renew
#10

Hi @xrobau, I forgot to mention that I was running FreePBX 14 for this.

So the latest version I have available is currently 14.0.5.2 on the Edge track.


(Rob Thomas) #11

Whoops! In that case, you want to run 14.0.5.3, which I have pushed out about 5 seconds ago.


#12

Looks like its working! I can see the new line added to /etc/httpd/conf.d/schmoozecom.conf:

RewriteRule ^/\.(well-known|freepbx-known)/ - [H=text/plain,L]

The cert updates without any issue as well.

Thanks for the fast turn around - yet again!


(Lucas Ryan) #13

Excellent. Just ran into this myself and that fixed it right up.


(Rob Thomas) #14

Sorry about that. We have a QA team, but occasionally there’s things we just don’t think about asking them to test. That was one of them. (But it’s on their list now! 8)


(Lucas Ryan) #15

No problem. I won’t have to switch back to the “normal” track from the Edge track, right. That command just got the edge release for that one module, correct?


(Andrew Nagy) #16

Yes you are correct!


(Ivan G ) #17

Hello Everyone, just like to add this problem still happening on version FreePBX 14.0.13.4. I was able to get it resolved by going to the following directory and creating /var/www/html/.well-known and /var/www/html/.freepbx-known and applying the right write permissions to the folder. I hope that helps.