Update to Certman for LE certificate generation

lgaetz · April 14, 2021, 1:28pm

https://issues.freepbx.org/browse/FREEPBX-21681

A recent(ish) pull request from @jerrm for the Certificate Management module has been merged and published in certman ver 15.0.42, now in the edge repo. It removes the requirement that the cert validation request originate from the same IP to which the cert host name resolves.

We have done some basic testing, and things appear to be working as expected, but it is in need of some real testing in a multi-NIC environment where LE cert generation would otherwise fail.

To upgrade:

fwconsole ma downloadinstall certman --tag 15.0.42

if necessary, you can downgrade again using

fwconsole ma downloadinstall certman --tag 15.0.41

billsimon · April 14, 2021, 2:11pm

Is IPv6 handled?

jerrm · April 14, 2021, 3:05pm

If the mirror’s lechecker.php process was the reason for an IPv6 based failure, it shouldn’t be an issue anymore. Any other IPv6 issues would remain.

All the patch does is allow the process to continue if the phone home check to mirror1.freepbx.org/lechecker.php fails. Previously the process would fail if lechecker didn’t think the IP was correct - a common error when the default outbound route IP did not match the fqdn IP.

If the update ultimately succeeds, any lechecker.php error is ignored. If the update fails, the lechecker error is included in the failure message as a diagnostic aid.