Updated modules- certificates no longer work

Distro Discussion & Help
1

Today I updated all modules on one of my deployments (Distro version 12.7.8-2302-1.sng7) running Freepbx 16.0.40. After, the GUI was no longer accessible. It appears the /etc/httpd/pki/webserver.crt file is zero length. I removed ssl redirection and was able to log in to the GUI, but I cannot create a working LE certificate from the CLI or GUI. In each case, it appears the cert is issued properly but the crt is always 0 bytes. If I remove it and try to create a self signed cert, I get an error that says in part “Unable to generate certificate: Error Generating Certificate: unknown option 730 usage: x509 args”.
I decided to try installing the edge version of certman and it threw a similar error while installing. Here’s the log:

 fwconsole ma upgrade certman --edge
Edge repository temporarily enabled
No repos specified, using: [standard,extended,commercial] from last GUI settings

Downloading module 'certman'
Processing certman
Downloading...
 220816/220816 [============================] 100%
Finished downloading
Extracting...Done
Download completed in 0 seconds
Updating tables certman_mapping, certman_csrs, certman_certs, certman_cas...Done
No Certificates exist
Generating default certificate...Failed! [Error Generating Certificate: unknown option 730
usage: x509 args
 -inform arg     - input format - default PEM (one of DER, NET or PEM)
 -outform arg    - output format - default PEM (one of DER, NET or PEM)
 -keyform arg    - private key format - default PEM
 -CAform arg     - CA format - default PEM
 -CAkeyform arg  - CA key format - default PEM
 -in arg         - input file - default stdin
 -out arg        - output file - default stdout
 -passin arg     - private key password source
 -serial         - print serial number value
 -subject_hash   - print subject hash value
 -subject_hash_old   - print old-style (MD5) subject hash value
 -issuer_hash    - print issuer hash value
 -issuer_hash_old    - print old-style (MD5) issuer hash value
 -hash           - synonym for -subject_hash
 -subject        - print subject DN
 -issuer         - print issuer DN
 -email          - print email address(es)
 -startdate      - notBefore field
 -enddate        - notAfter field
 -purpose        - print out certificate purposes
 -dates          - both Before and After dates
 -modulus        - print the RSA key modulus
 -pubkey         - output the public key
 -fingerprint    - print the certificate fingerprint
 -alias          - output certificate alias
 -noout          - no certificate output
 -ocspid         - print OCSP hash values for the subject name and public key
 -ocsp_uri       - print OCSP Responder URL(s)
 -trustout       - output a "trusted" certificate
 -clrtrust       - clear all trusted purposes
 -clrreject      - clear all rejected purposes
 -addtrust arg   - trust certificate for a given purpose
 -addreject arg  - reject certificate for a given purpose
 -setalias arg   - set certificate alias
 -days arg       - How long till expiry of a signed certificate - def 30 days
 -checkend arg   - check whether the cert expires in the next arg seconds
                   exit 1 if so, 0 if not
 -signkey arg    - self sign cert with arg
 -x509toreq      - output a certification request object
 -req            - input is a certificate request, sign and output.
 -CA arg         - set the CA certificate, must be PEM format.
 -CAkey arg      - set the CA key, must be PEM format
                   missing, it is assumed to be in the CA file.
 -CAcreateserial - create serial number file if it does not exist
 -CAserial arg   - serial file
 -set_serial     - serial number to use
 -text           - print the certificate in text form
 -C              - print out C code forms
 -<dgst>         - digest to use, see openssl dgst -h output for list
 -extfile        - configuration file with X509V3 extensions to add
 -extensions     - section from config file with X509V3 extensions to add
 -clrext         - delete extensions before signing and input certificate
 -nameopt arg    - various certificate name options
 -engine e       - use engine e, possibly a hardware device.
 -certopt arg    - various certificate text options
 -checkhost host - check certificate matches "host"
 -checkemail email - check certificate matches "email"
 -checkip ipaddr - check certificate matches "ipaddr"
]
Generating CSS...Done
Module certman version 16.0.25 successfully installed
Updating Hooks...Done
Chowning directories...Done
Updating Hooks...Done
Chowning directories...Done
Resetting temporarily repository state

I’m really not sure what else to I can do to resolve this. Any guidance would be greatly appreciated.

2

I removed /var/www/html/admin/modules/certman and reinstalled certman. This did not resolve the issue. The error “Generating default certificate…Failed! [Error Generating Certificate: unknown option 730” is still reported and I cannot create any certificates. Also, UCP will not start. I’m fairly sure this is related. I have no idea where to go from here…

3

Still no resolved. I was able to create a certificate using this command:

openssl req \
       -newkey rsa:2048 -nodes -keyout domain.key \
       -x509 -days 3650 -out domain.crt

I’m not sure ho to manually install the certificate, or if I should try.
Trying to create a self-signed certificate via the GUI fails with this:

image
image1760×793 172 KB

Here’s the list of installed modules, again, the edge version of certman did not resolve the issue.


+---------------------+------------+-----------------------------------+-------------+-----------+
| Module              | Version    | Status                            | License     | Signature |
+---------------------+------------+-----------------------------------+-------------+-----------+
| accountcodepreserve | 16.0.0.1   | Enabled                           | GPLv2       | Sangoma   |
| adv_recovery        | 16.0.41    | Enabled                           | Commercial  | Sangoma   |
| amd                 | 16.0.3     | Enabled                           | GPLv3+      | Sangoma   |
| announcement        | 16.0.6     | Enabled                           | GPLv3+      | Sangoma   |
| api                 | 16.0.11    | Enabled                           | AGPLv3+     | Sangoma   |
| areminder           | 16.0.16    | Enabled                           | Commercial  | Sangoma   |
| arimanager          | 16.0.12    | Enabled                           | GPLv3+      | Sangoma   |
| asterisk-cli        | 16.0.8     | Enabled                           | GPLv3+      | Sangoma   |
| asteriskinfo        | 16.0.10    | Enabled                           | GPLv3+      | Sangoma   |
| backup              | 16.0.65    | Enabled                           | GPLv3+      | Sangoma   |
| blacklist           | 16.0.20    | Enabled                           | GPLv3+      | Sangoma   |
| broadcast           | 16.0.18    | Enabled                           | Commercial  | Sangoma   |
| builtin             |            | Enabled                           |             | Unsigned  |
| bulkhandler         | 16.0.16    | Enabled                           | GPLv3+      | Sangoma   |
| calendar            | 16.0.21    | Enabled                           | GPLv3+      | Sangoma   |
| callaccounting      | 16.0.11    | Enabled                           | Commercial+ | Sangoma   |
| callback            | 16.0.4     | Enabled                           | GPLv3+      | Sangoma   |
| callerid            | 16.0.5     | Enabled                           | Commercial  | Sangoma   |
| callforward         | 16.0.5     | Enabled                           | AGPLv3+     | Sangoma   |
| calllimit           | 16.0.6     | Enabled                           | Commercial  | Sangoma   |
| callrecording       | 16.0.19    | Enabled                           | AGPLv3+     | Sangoma   |
| callwaiting         | 16.0.5     | Enabled                           | GPLv3+      | Sangoma   |
| cdr                 | 16.0.31    | Enabled                           | GPLv3+      | Sangoma   |
| cel                 | 16.0.15    | Enabled                           | GPLv3+      | Sangoma   |
| certman             | 16.0.22    | Enabled                           | AGPLv3+     | Sangoma   |
| certman.bak         |            | Not Installed (Locally available) | AGPLv3+     | Sangoma   |
| cidlookup           | 16.0.15    | Enabled                           | GPLv3+      | Sangoma   |
| conferences         | 16.0.9     | Enabled                           | GPLv3+      | Sangoma   |
| conferencespro      | 16.0.9     | Enabled                           | Commercial  | Sangoma   |
| configedit          | 16.0.5     | Enabled                           | AGPLv3+     | Sangoma   |
| contactmanager      | 16.0.21    | Enabled                           | GPLv3+      | Sangoma   |
| core                | 16.0.68.11 | Enabled                           | GPLv3+      | Sangoma   |
| cos                 | 16.0.7     | Enabled                           | Commercial  | Sangoma   |
| customappsreg       | 16.0.5     | Enabled                           | GPLv3+      | Sangoma   |
| dahdiconfig         | 16.0.8     | Enabled                           | GPLv3+      | Sangoma   |
| dashboard           | 16.0.16    | Enabled                           | AGPLv3+     | Sangoma   |
| daynight            | 16.0.3     | Enabled                           | GPLv3+      | Sangoma   |
| dictate             | 16.0.1     | Enabled                           | GPLv3+      | Sangoma   |
| directory           | 16.0.2     | Enabled                           | GPLv3+      | Sangoma   |
| disa                | 16.0.4     | Enabled                           | AGPLv3+     | Sangoma   |
| donotdisturb        | 16.0.3     | Enabled                           | GPLv3+      | Sangoma   |
| dynroute            | 16.0.4     | Enabled                           | GPLv3+      | Sangoma   |
| endpoint            | 16.0.79.17 | Enabled                           | Commercial  | Sangoma   |
| extensionroutes     | 16.0.7     | Enabled                           | Commercial  | Sangoma   |
| extensionsettings   | 16.0.1     | Enabled                           | GPLv3+      | Sangoma   |
| fax                 | 16.0.13    | Enabled                           | GPLv3+      | Sangoma   |
| faxpro              | 16.0.11    | Enabled                           | Commercial  | Sangoma   |
| featurecodeadmin    | 16.0.11    | Enabled                           | GPLv3+      | Sangoma   |
| filestore           | 16.0.16    | Enabled                           | AGPLv3      | Sangoma   |
| findmefollow        | 16.0.19    | Enabled                           | GPLv3+      | Sangoma   |
| firewall            | 16.0.57.6  | Enabled                           | AGPLv3+     | Sangoma   |
| framework           | 16.0.40    | Enabled                           | GPLv2+      | Sangoma   |
| fw_langpacks        | 16.0.1     | Enabled                           | GPLv3+      | Sangoma   |
| hotelwakeup         | 16.0.8     | Enabled                           | GPLv2       | Sangoma   |
| iaxsettings         | 16.0.3     | Enabled                           | AGPLv3      | Sangoma   |
| infoservices        | 16.0.2     | Enabled                           | GPLv2+      | Sangoma   |
| iotserver           | 16.0.10.1  | Enabled                           | Commercial  | Sangoma   |
| irc                 | 16.0.1     | Enabled                           | GPLv3+      | Sangoma   |
| ivr                 | 16.0.5     | Enabled                           | GPLv3+      | Sangoma   |
| languages           | 16.0.4     | Enabled                           | GPLv3+      | Sangoma   |
| logfiles            | 16.0.7     | Enabled                           | GPLv3+      | Sangoma   |
| manager             | 16.0.17    | Enabled                           | GPLv2+      | Sangoma   |
| miscapps            | 16.0.2     | Enabled                           | GPLv3+      | Sangoma   |
| miscdests           | 16.0.1     | Enabled                           | GPLv3+      | Sangoma   |
| music               | 16.0.2     | Enabled                           | GPLv3+      | Sangoma   |
| oracle_connector    | 16.0.16    | Enabled                           | Commercial  | Sangoma   |
| outroutemsg         | 16.0.1     | Enabled                           | GPLv3+      | Sangoma   |
| paging              | 16.0.11    | Enabled                           | GPLv3+      | Sangoma   |
| pagingpro           | 16.0.10    | Enabled                           | Commercial  | Sangoma   |
| parking             | 16.0.4     | Enabled                           | GPLv3+      | Sangoma   |
| parkpro             | 16.0.5     | Enabled                           | Commercial  | Sangoma   |
| pbdirectory         | 2.11.0.6   | Enabled                           | GPLv3+      | Sangoma   |
| phonebook           | 16.0.3     | Enabled                           | GPLv3+      | Sangoma   |
| phpinfo             | 16.0.1     | Enabled                           | GPLv2+      | Sangoma   |
| pinsets             | 16.0.8     | Enabled                           | GPLv3+      | Sangoma   |
| pinsetspro          | 16.0.4     | Enabled                           | Commercial  | Sangoma   |
| pm2                 | 16.0.8     | Enabled                           | AGPLv3+     | Sangoma   |
| pms                 | 16.0.21    | Enabled                           | Commercial  | Sangoma   |
| presencestate       | 16.0.4     | Enabled                           | GPLv3+      | Sangoma   |
| printextensions     | 16.0.8     | Enabled                           | GPLv3+      | Sangoma   |
| queueprio           | 16.0.3     | Enabled                           | GPLv3+      | Sangoma   |
| queues              | 16.0.25    | Enabled                           | GPLv2+      | Sangoma   |
| queuestats          | 16.0.23    | Enabled                           | Commercial  | Sangoma   |
| qxact_reports       | 16.0.31    | Enabled                           | Commercial  | Sangoma   |
| recording_report    | 16.0.30    | Enabled                           | Commercial  | Sangoma   |
| recordings          | 16.0.14    | Enabled                           | GPLv3+      | Sangoma   |
| restapps            | 16.0.34.9  | Enabled                           | Commercial  | Sangoma   |
| ringgroups          | 16.0.11    | Enabled                           | GPLv3+      | Sangoma   |
| sangomaconnect      | 16.0.44.16 | Enabled                           | Commercial  | Sangoma   |
| sangomacrm          | 16.0.10.19 | Enabled                           | Commercial  | Sangoma   |
| sangomartapi        | 16.0.46.1  | Enabled                           | Commercial  | Sangoma   |
| setcid              | 16.0.3     | Enabled                           | GPLv3+      | Sangoma   |
| sipsettings         | 16.0.26    | Enabled                           | AGPLv3+     | Sangoma   |
| sipstation          | 16.0.25    | Enabled                           | Commercial  | Sangoma   |
| sms                 | 16.0.23    | Enabled                           | Commercial  | Sangoma   |
| soundlang           | 16.0.9     | Enabled                           | GPLv3+      | Sangoma   |
| speeddial           | 2.11.0.4   | Enabled                           | GPLv3+      | Sangoma   |
| superfecta          | 16.0.27    | Enabled                           | GPLv2+      | Sangoma   |
| sysadmin            | 16.0.32    | Enabled                           | Commercial  | Sangoma   |
| timeconditions      | 16.0.10    | Enabled                           | GPLv3+      | Sangoma   |
| tts                 | 16.0.3     | Enabled                           | GPLv3+      | Sangoma   |
| ttsengines          | 16.0.3     | Enabled                           | AGPLv3      | Sangoma   |
| ucp                 | 16.0.38    | Enabled                           | AGPLv3+     | Sangoma   |
| userman             | 16.0.39    | Enabled                           | AGPLv3+     | Sangoma   |
| vega                | 16.0.6     | Enabled                           | Commercial+ | Sangoma   |
| vmblast             | 16.0.10    | Enabled                           | GPLv3+      | Sangoma   |
| vmnotify            | 16.0.6     | Enabled                           | Commercial  | Sangoma   |
| voicemail           | 16.0.48    | Enabled                           | GPLv3+      | Sangoma   |
| voicemail_report    | 16.0.3     | Enabled                           | Commercial  | Sangoma   |
| voipinnovations     | 16.0.29    | Enabled                           | Commercial  | Sangoma   |
| vqplus              | 16.0.20    | Enabled                           | Commercial  | Sangoma   |
| weakpasswords       | 16.0.1     | Enabled                           | GPLv3+      | Sangoma   |
| webcallback         | 16.0.3     | Enabled                           | Commercial  | Sangoma   |
| webrtc              | 16.0.17    | Enabled                           | GPLv3+      | Sangoma   |
| xmpp                | 16.0.7     | Enabled                           | AGPLv3      | Sangoma   |
+---------------------+------------+-----------------------------------+-------------+-----------+
4

Not sure about the certs, but can you restore from a FreePBX backup or if a VM, from a snapshot, pre update? You might need to engage Sangoma for support directly.

5

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.