Let's Encrypt issue after upgrade to 2.4.0-5

VitalPBX Community Support General Discussion Let's Encrypt issue after upgrade to 2.4.0-5

  • Post
    TheG-Man
    Participant

    Hello,

    Let’s Encrypt cert stopped renewing after I upgraded to 2.4.0-5.

    When I click update on certificate, I get the attached error.

    I tried disabling firewall and it didn’t seem to correct the issue.

    Thanks!

    -G.

    0
Viewing 13 replies - 16 through 28 (of 28 total)
  • Replies
    Up
    0
    Down

    Check the logs in the following folder:

    /var/log/vitalpbx

    The only requirement to use Let’s encrypt is to have the HTTP port available without redirections and allowed in the firewall.

    0
    mo10
    Participant
    Up
    0
    Down
    Posted by: @ing-joserivera26

    Check the logs in the following folder:

    /var/log/vitalpbx

    The only requirement to use Let’s encrypt is to have the HTTP port available without redirections and allowed in the firewall.

    Okay, but maybe my Geo-Firewall blocked the request?
    I am in EU and blocked everything but 2 Countries.

    0
    Up
    0
    Down

    Just for testing, may you put the following domains on the firewall white list

    outbound1.letsencrypt.org and outbound2.letsencrypt.org

    Delete your current certificates, and finally execute the script

    /usr/share/ombutel/scripts/lets_encrypt

    Let me know if you are able to re-generate your certificates without disabling the firewall.

    0
    mo10
    Participant
    Up
    0
    Down
    Posted by: @ing-joserivera26

    Just for testing, may you put the following domains on the firewall white list

    outbound1.letsencrypt.org and outbound2.letsencrypt.org

    Delete your current certificates, and finally execute the script

    /usr/share/ombutel/scripts/lets_encrypt

    Let me know if you are able to re-generate your certificates without disabling the firewall.

    Firewal does not like Domains on Whitelist. My VitalPBX is not pingable anymore and not accessable. I will try to get it back runing with console.

    0
    mo10
    Participant
    Up
    0
    Down

    Entering the IP-Addresses of those domains to the whitelist did not help:
    outbound1.letsencrypt.org and outbound2.letsencrypt.org

    Still: Valid Until 1970-01-01

    Allowing ALL Countries in GEO-Firewall helped.
    Valid Until 2020-05-20

    Enabeling Geo-Firewall again: Valid Until 1970-01-01

    0
    Up
    0
    Down

    @mo10

    May you check the logs on /var/log/vitalpbx and see if there’s a hint of what is being blocked

     

    0
    mo10
    Participant
    Up
    0
    Down
    Posted by: @ing-joserivera26

    @mo10

    May you check the logs on /var/log/vitalpbx and see if there’s a hint of what is being blocked

     

    No hint since i think the feedback of the request gets blocked by Geo-Firewall.

    0
    PitzKey
    Participant
    US
    Up
    0
    Down

    If I recall correctly, LE changed how cert provisioning works, and it can now come from anywhere, not only from their domain IPs.

    0
    mo10
    Participant
    Up
    0
    Down
    Posted by: @pitzkey

    If I recall correctly, LE changed how cert provisioning works, and it can now come from anywhere, not only from their domain IPs.

    @ing-joserivera26

    will you guys keep that in mind?

    Thank you, @pitzkey ,too

     

    0
    Up
    0
    Down

    this what let’s encrypt says about it:

    If you can’t allow inbound connections from arbitrary IP addresses, you’re requested to use the DNS-01 validation method instead of HTTP-01.

    Also this

    We plan to frequently change the set of IPs from which we validate, and will validate from multiple IPs in the future. Any host answering challenges should have port 80 or 443 available to the Internet.

    Another comment from Certbot Engineer / EFF

    The Let’s Encrypt CA does not want to announce particular IP addresses that are used in validation because of a desire to change them periodically (partly in order to make it harder for attackers to be able to cause misissuance). While you could figure out what addresses are currently used, they may change at any time and will not be documented. If you can’t allow inbound connections from the general public to the service that you’re trying to validate, you can use the DNS challenge type (which just requires letting the Let’s Encrypt CA look up your DNS records associated with that name).

    So,  in the future, we will try to add the DNS challenge option. By now, If you are using let’s encrypt, you must disable the firewall to renew the certificate.

    0
    PitzKey
    Participant
    US
    Up
    0
    Down

    Perhaps there’s an option to expose the only path for the verification on a timer of 2 minutes. I can’t think of a way how, but maybe someone has an idea.

    Or maybe an option to setup LE on port 80 and the rest of the GUI on a different port.

    0
    Up
    0
    Down

    @pitzkey

    The problem is that if you have the GEO firewall enable, any incoming connection coming from blocked countries will be rejected. So, no matter if port 80 is open, the HTTP verification will not be performed due to the incoming verification may come from random IP addresses of random countries.

     

    0
    PitzKey
    Participant
    US
    Up
    0
    Down

    That’s true. We live in a world where we lock down our servers. But in the same time we want to expose it to the world so we can have a FREE certificate… Lol

    A wish LE would have some static addresses what they use for provisioning, it would make this so much easier.

    0
Viewing 13 replies - 16 through 28 (of 28 total)

Tagged: 

  • You must be logged in to reply to this topic.