Unifi gateway USG unable to update freepbx


(Ralph) #1

Having a problem with updating freepbx since installing Unifi USG gateway. The phones and freepbx work fine but lets encrypt renewal and module updates do not.
Module update reports unable to connect online repository.
I am fairly sure this is a firewall issue. I have the usg set to allow all in and out to freepbx ip address and port forward to port 80.
Any advice please.


#2

From a shell prompt on the PBX, does
wget example.com
work properly? How about
wget https://mirror.freepbx.org
(which should write index.html containing ‘False’)


(Ralph) #3

as below

[root@Grahome ~]# wget https://mirror.freepbx.org
–2021-01-23 21:11:59-- https://mirror.freepbx.org/
Resolving mirror.freepbx.org (mirror.freepbx.org)… 199.102.239.8
Connecting to mirror.freepbx.org (mirror.freepbx.org)|199.102.239.8|:443… connected.
HTTP request sent, awaiting response… 200 OK
Length: 5 [text/html]
Saving to: ‘index.html’

100%[======================================>] 5 --.-K/s in 0s

2021-01-23 21:11:59 (1.05 MB/s) - ‘index.html’ saved [5/5]
as belwo


#4

Unless it’s something very strange, this doesn’t look like a firewall issue.

Try capturing traffic with tcpdump, attempt an update and see whether the mirror site is reachable, any SSL errors, etc.


(Ralph) #5

The response to wget was after I turned off some firewall rules so I now know where to look for my error.
However with those rules off I still can not renew letsencrypt certificate, so this issue remains.
Thanks for help


#6

Yet those https requests are over port 443, yet acme clients using HTTP-01 MUST use port 80.

I would wait for @jerrm to respond . . .


(Itzik) #7

There’s a difference between ‘updating your pbx’ and ‘updating a LE cert’

What is the error you are getting?


#8

Certman needs outbound ports 80 and 443 allowed, and inbound port 80.

Requests to the LetsEncrypt servers from the pbx go out over https/port 443.

Challenge queries from the LetsEncrypt servers to the pbx come in over http/port 80.

There is also a diagnostic query to http://mirror1.freepbx.org outbound over http/port 80. Certman will abort before trying LetsEncrypt if the diagnostic query fails.

The diagnostic query was apparently intended to help detect some dns config errors, but is a little too simple-minded. It can sometimes cause certman to abort when Letsencrypt would actually succeed if attempted. There is a pending PR that will continue on and try LetsEncrypt even if the diagnostic query fails, only presenting the error message upon a bona fide LetsEncrypot failue.


#9

Or just move to LE’s well supported DNS-01 and never have to worry about all this HTTP-01 port flappery again :wink:


(Ralph) #10

Thanks all.
Will add a rule for port 443
Dicko, how would I do the move you suggest?


(Ralph) #11

Added a WAN out and Wan local rule for all ports from ip address of freepbx server but still certificate update fails.
Thanks for all help


(Ralph) #12

Should update that module updates work now but still not letsencrypt certificate


#13

Using dns-01 auth would require forgoing the GUI and using another LetsEncrypt client like acme.sh or certbot.

Update certman to the current edge version:

fwconsole ma downloadinstall certman --edge

Then post full output of:

fwconsole cert --updateall --force

If you feel you have to edit and change the fqdn and IPs for the forum, then PM me an unadulterated version.


#14

https://community.freepbx.org/t/lets-encrypt-dns-challenge-and-scripting/65903


(Ralph) #15

tried to send info direct to you, did it reach you
Thanks


#16

It did not.


(Ralph) #17

[root@Grahome ~]# fwconsole cert --updateall --force
Forced update enabled !!!
Processing: grahome.ralphgraham.org, Local IP: 127.0.0.1, Public IP: 213.123.199.240
Self test: trying http://grahome.ralphgraham.org/.freepbx-known/5f8ae1ebb5c3613144b96a46c4651ea5
Self test: received 5f8ae1ebb5c3613144b96a46c4651ea5

** Responsive LetsEncrypt Rules are not enabled. Enabling Responsive
LetsEncrypt Rules is recommended. Enable at the command line with
‘fwconsole firewall lerules enable’ or within the web interface at
Connectivity->Firewall->Advanced->Advanced Settings.

There was an error updating certificate “Grahome.ralphgraham.org”: Operation timed out after 30001 milliseconds with 0 out of -1 bytes received


(Ralph) #18

tried command lerules enabled which worked and then force test same failure timed out


#19

Looks like it’s failing in the diagnostic request.

Either the gateway firewall does not have port 80 open and forwarded to the FreePBX box or port 80 outbound is still not allowed.

From the pbx, what’s the output of:

curl -L  http://mirror1.freepbx.org/lechecker.php

(Ralph) #20

curl: (6) Could not resolve host: mirror1,freepbx.org; Unknown error

Thanks for support