Unifi gateway USG unable to update freepbx

RalphGraham · January 23, 2021, 1:16pm

Having a problem with updating freepbx since installing Unifi USG gateway. The phones and freepbx work fine but lets encrypt renewal and module updates do not.
Module update reports unable to connect online repository.
I am fairly sure this is a firewall issue. I have the usg set to allow all in and out to freepbx ip address and port forward to port 80.
Any advice please.

Stewart1 · January 23, 2021, 8:07pm

From a shell prompt on the PBX, does
wget example.com
work properly? How about
wget https://mirror.freepbx.org
(which should write index.html containing ‘False’)

RalphGraham · January 23, 2021, 9:14pm

as below

[root@Grahome ~]# wget https://mirror.freepbx.org
–2021-01-23 21:11:59-- https://mirror.freepbx.org/
Resolving mirror.freepbx.org (mirror.freepbx.org)… 199.102.239.8
Connecting to mirror.freepbx.org (mirror.freepbx.org)|199.102.239.8|:443… connected.
HTTP request sent, awaiting response… 200 OK
Length: 5 [text/html]
Saving to: ‘index.html’

100%[======================================>] 5 --.-K/s in 0s

2021-01-23 21:11:59 (1.05 MB/s) - ‘index.html’ saved [5/5]
as belwo

Stewart1 · January 23, 2021, 9:30pm

Unless it’s something very strange, this doesn’t look like a firewall issue.

Try capturing traffic with tcpdump, attempt an update and see whether the mirror site is reachable, any SSL errors, etc.

RalphGraham · January 23, 2021, 10:05pm

The response to wget was after I turned off some firewall rules so I now know where to look for my error.
However with those rules off I still can not renew letsencrypt certificate, so this issue remains.
Thanks for help

dicko · January 23, 2021, 10:44pm

Yet those https requests are over port 443, yet acme clients using HTTP-01 MUST use port 80.

I would wait for @jerrm to respond . . .

PitzKey · January 23, 2021, 11:01pm

There’s a difference between ‘updating your pbx’ and ‘updating a LE cert’

What is the error you are getting?

jerrm · January 24, 2021, 2:48am

Certman needs outbound ports 80 and 443 allowed, and inbound port 80.

Requests to the LetsEncrypt servers from the pbx go out over https/port 443.

Challenge queries from the LetsEncrypt servers to the pbx come in over http/port 80.

There is also a diagnostic query to http://mirror1.freepbx.org outbound over http/port 80. Certman will abort before trying LetsEncrypt if the diagnostic query fails.

The diagnostic query was apparently intended to help detect some dns config errors, but is a little too simple-minded. It can sometimes cause certman to abort when Letsencrypt would actually succeed if attempted. There is a pending PR that will continue on and try LetsEncrypt even if the diagnostic query fails, only presenting the error message upon a bona fide LetsEncrypot failue.

dicko · January 24, 2021, 3:52am

Or just move to LE’s well supported DNS-01 and never have to worry about all this HTTP-01 port flappery again

RalphGraham · January 24, 2021, 12:27pm

Thanks all.
Will add a rule for port 443
Dicko, how would I do the move you suggest?

RalphGraham · January 24, 2021, 1:14pm

Added a WAN out and Wan local rule for all ports from ip address of freepbx server but still certificate update fails.
Thanks for all help

RalphGraham · January 24, 2021, 1:44pm

Should update that module updates work now but still not letsencrypt certificate

jerrm · January 24, 2021, 2:43pm

Using dns-01 auth would require forgoing the GUI and using another LetsEncrypt client like acme.sh or certbot.

Update certman to the current edge version:

fwconsole ma downloadinstall certman --edge

Then post full output of:

fwconsole cert --updateall --force

If you feel you have to edit and change the fqdn and IPs for the forum, then PM me an unadulterated version.

dicko · January 24, 2021, 3:23pm

RalphGraham · January 24, 2021, 3:27pm

tried to send info direct to you, did it reach you
Thanks

jerrm · January 24, 2021, 3:36pm

It did not.

RalphGraham · January 24, 2021, 3:46pm

[root@Grahome ~]# fwconsole cert --updateall --force
Forced update enabled !!!
Processing: grahome.ralphgraham.org, Local IP: 127.0.0.1, Public IP: 213.123.199.240
Self test: trying http://grahome.ralphgraham.org/.freepbx-known/5f8ae1ebb5c3613144b96a46c4651ea5
Self test: received 5f8ae1ebb5c3613144b96a46c4651ea5

** Responsive LetsEncrypt Rules are not enabled. Enabling Responsive
LetsEncrypt Rules is recommended. Enable at the command line with
‘fwconsole firewall lerules enable’ or within the web interface at
Connectivity->Firewall->Advanced->Advanced Settings.

There was an error updating certificate “Grahome.ralphgraham.org”: Operation timed out after 30001 milliseconds with 0 out of -1 bytes received

RalphGraham · January 24, 2021, 3:51pm

tried command lerules enabled which worked and then force test same failure timed out

jerrm · January 24, 2021, 4:49pm

Looks like it’s failing in the diagnostic request.

Either the gateway firewall does not have port 80 open and forwarded to the FreePBX box or port 80 outbound is still not allowed.

From the pbx, what’s the output of:

curl -L  http://mirror1.freepbx.org/lechecker.php

RalphGraham · January 24, 2021, 5:11pm

curl: (6) Could not resolve host: mirror1,freepbx.org; Unknown error

Thanks for support