FOOD FOR THOUGHT Enable HTTPS with Let's Encrypt

That's the goal.

I'd suggest testing with
Code:
fwconsole cert --updateall --force
but @wardmundy has certman locked to an old version that doesn't support --force.

Ok @jerrm , I'll sit back and 'watch'! fingers crossed...

Ha, guess I can't force it then lol

My VPS at CrownCloud is:

Incredible PBX/FAX 2020.1 for CentOS 7

Asterisk: UP Apache: UP MySQL: UP
SendMail: UP IPtables: UP SSH: UP
LAN port: UP Fail2Ban: UP Webmin: UP
UCP Dmon: UP PortKnock: UP NR VPN: UP
FaxGetty: DN IAX Modem: DN HylaFax: DN

RAM:97MB CentOS Rel. 7.8.2003 Disk:8.4GB

Asterisk 16.12.0 Incredible GUI 15.0.12.40

Private IP: XXX.XXX.XXX.XXX

Public Info: XXX.XXX.XXX.XXX

System Time: Sat Jan 16 17:55:29 MST 2021
 
It looks like the ClearlyIP mirrors break specifying a module version with --tag in fwconsole, but you can trick the GUI into upgrading from 15.0.23 to the current version:
Module Admin->​
Check Online->​
Expand "Certificate Manager"->​
Select Previous​
and then "Rollback" to the current 15.0.37 version.​

You'll get improved error messages, --force support, alternate name support, expanded fwconsole CLI support, and a few other tidbits.
 
It looks like the ClearlyIP mirrors break specifying a module version with --tag in fwconsole, but you can trick the GUI into upgrading from 15.0.23 to the current version:
Module Admin->​
Check Online->​
Expand "Certificate Manager"->​
Select Previous​
and then "Rollback" to the current 15.0.37 version.​

You'll get improved error messages, --force support, alternate name support, expanded fwconsole CLI support, and a few other tidbits.


Thanks for this @jerrm ,

So I did :

Module Admin->
Check Online->
Expand "Certificate Manager"->
Select Previous
and then "Rollback" to the current 15.0.37 version.

BUT DID NOT DO THIS YET:

fwconsole cert --updateall --force

Because, I wanted to see what would happen when I wake up this morning since me LE cert is now 6 days from expiring...

This is what I saw on my IncrediblePBX dashboard:


!Security Issue !

Some Certificates are expiring or have expired

This is a critical issue and should be resolved urgently

"There was an error updating certificate "mypbx.com": Error 'Token did not match' when requesting http://mypbx.com/.freepbx-known/b3c3255658121d8e22859dbcf60853e1"

(Where mypbx.com is my actual PBX FQDN - I just omitted it here)

Soooo, no what? lol
 
That implies lewatch let the mirror1.freepbx.org's lechecker.php process through the firewall, but there was an issue with the lechecker token file.

Post output:
Code:
(
ls -al /var/www/html/.freepbx-known
echo cat
cat /var/www/html/.freepbx-known/*
echo ""
echo curl fqdn
curl   "http://mypbx.com/.freepbx-known/b3c3255658121d8e22859dbcf60853e1"
echo ""
echo curl localhost
curl   "http://127.0.0.1/.freepbx-known/b3c3255658121d8e22859dbcf60853e1"
echo ""
)
 
That implies lewatch let the mirror1.freepbx.org's lechecker.php process through the firewall, but there was an issue with the lechecker token file.

Post output:
Code:
(
ls -al /var/www/html/.freepbx-known
echo cat
cat /var/www/html/.freepbx-known/*
echo ""
echo curl fqdn
curl   "http://mypbx.com/.freepbx-known/b3c3255658121d8e22859dbcf60853e1"
echo ""
echo curl localhost
curl   "http://127.0.0.1/.freepbx-known/b3c3255658121d8e22859dbcf60853e1"
echo ""
)
ok @jerrm , thanks for at least conforming that lewatch is working ha!

So, any idea what I should try next?

Thank you
Prits
 
I'd like to see the requested output first, but I would next try from the command line running as asterisk:
Code:
su asterisk -c 'fwconsole cert --updateall'


--force shouldn't be needed now that the cert has aged enough.
 
I'd like to see the requested output first, but I would next try from the command line running as asterisk:
Code:
su asterisk -c 'fwconsole cert --updateall'


--force shouldn't be needed now that the cert has aged enough.

@jerrm , Here is what I got at the command line:

root@pbx1:~ $ su asterisk -c 'fwconsole cert --updateall'
Certificate named "default" is valid
There was an error updating certificate "mypbxdomain.com": Error 'Token did not match' when requesting http://mypbxdomain.com/.freepbx-known/5a7febc0660a2eb4475ddc92e0d08c2e
WARNING: Always run Incredible PBX behind a secure firewall.
root@pbx1:~ $
WARNING: Always run Incredible PBX behind a secure firewall.
root@pbx1:~ $
 
Post output of:
Code:
curl "http://127.0.0.1/.freepbx-known/5a7febc0660a2eb4475ddc92e0d08c2e"
 
Sorry for the delay @jerrm , here it is:

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="https://127.0.0.1/.freepbx-known/5a7febc0660a2eb4475ddc92e0d08c2e">here</a>.</p>
</body></html>
Looks like you have port http requests redirected to https. That may very well break the mirror's lechecker.php process it is not following location. It's expecting a token and getting the above message. Not sure about LetsEncrypt itself and the Lescript.php library.

Post the apache config you are using for the redirect so I can test the equivalent.
 
Looks like you have port http requests redirected to https. That may very well break the mirror's lechecker.php process it is not following location. It's expecting a token and getting the above message. Not sure about LetsEncrypt itself and the Lescript.php library.

Post the apache config you are using for the redirect so I can test the equivalent.

Ok @jerrm

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

and I did mention my system in message #41

I did not upgrade to Incredible 2021 - PUBLIC

Here it is again just in case sir:

Incredible PBX/FAX 2020.1 for CentOS 7

Asterisk: UP Apache: UP MySQL: UP
SendMail: UP IPtables: UP SSH: UP
LAN port: UP Fail2Ban: UP Webmin: UP
UCP Dmon: UP PortKnock: UP NR VPN: UP
FaxGetty: DN IAX Modem: DN HylaFax: DN

RAM:78MB CentOS Rel. 7.8.2003 Disk:8.4GB

Asterisk 16.12.0 Incredible GUI 15.0.12.40

Private IP: Hidden

Public Info: Hidden

System Time: Mon Jan 18 18:42:40 MST 2021

< OK >
 
and I did mention my system in message #41
But left out the fact apache was not in a standard config.

It's definitely the redirect, I assume it was added after the cert was initially generated? Don't disable yet, let me test if it's an lechecker only issue or if it will also be an issue with the Lescript.php library. If lechecker only, my pending pull request for certman will probably let the process complete.
 
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
Change to:
Code:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteCond %{REQUEST_URI} !^/\.(well-known|freepbx-known)/
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
 
Change to:
Code:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteCond %{REQUEST_URI} !^/\.(well-known|freepbx-known)/
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

@jerrm , I change it to the above, will update you tomorrow sometime once I have checked if the LE cert updated overnight.

Thanks
 
@jerrm , I change it to the above, will update you tomorrow sometime once I have checked if the LE cert updated overnight.

Thanks

Hello @jerrm , I am pleased to report that it worked! Woke up this morning to see that the LE cert had renewed!!!

Thank you so much for the LEwatch script and your guidance here!

@Prits
 

Members online

Forum statistics

Threads
26,724
Messages
174,636
Members
20,286
Latest member
lluis.riera
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Back
Top