Lets' Encrypt Support w/ automatic renewal

[Dom]

Why wouldn't you integrate full Let's Encrypt certificate support into a future release (post v65), i.e. including automatic renewal? That would be a very appreciated feature for all Vodia administrators

[Support]

Hi,

 

If the certificate is going to expire, automatic renewal is also included right now. Not sure if you're referring to something else?

[Vodia PBX]

There is no need to import the lets encrypt certificate - the PBX does it all by itself. Just enable it, make sure the domain name is resolvable through DNS and that port 80 is visible for the lets encrypt bot - then the rest is all handled automatically.

[cwernstedt]

Let’s Encrypt Certs have suddenly begun to expire on our PBX with no configuration change.

What might be the cause?

[Support]

6 minutes ago, cwernstedt said:

What might be the cause?

https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/

[cwernstedt]

In this case it's Let's Encrypt which sends me expiration warning emails, so it's the PBX which failed to renew the certs for some reason, and they do expire within a week or so, indicating failure to renew quite a long ago. Version is 63.0.1 . I haven't dared to update for fear of breaking something. 

Some way I can troubleshoot further?

[RichardDCG]

We received these as well...

Hello,

Your certificate (or certificates) for the names listed below will expire in 11 days (on 26 Oct 21 13:01 +0000). Please make sure to renew your certificate before then, or visitors to your web site will encounter errors.

We recommend renewing certificates automatically when they have a third of their total lifetime left. For Let's Encrypt's current 90-day certificates, that means renewing 30 days before expiration. See https://letsencrypt.org/docs/integration-guide/ for details.

 

Our PBX is 67.0.4.  I am testing 68.0.3 but there are still some issues with that.  Do I need to manually reset the certificate?

[Vodia PBX]

If all does not work, rename the DNS address of the tenant and then rename it back. This should generate a fresh certificate. 

[cwernstedt]

OK. This is what I see in the log (the real domain name and IP address I've censored out) after renaming the System Management DNS address and then renaming it back. The line with "Could not retrieve directory" looks suspicious. Any idea?

LYNC:    Creating pbx-admin.xyz.com
[6] 13:28:32.009    LYNC:    Using IP address 20.203.51.134 for creating DNS A record for pbx-admin.xyz.com
[8] 13:28:34.526    LYNC:    Create new account
[3] 13:28:34.921    LYNC:    Could not retrieve directory from directory https://acme-v02.api.letsencrypt.org/directory
[8] 13:28:34.921    LYNC:    New order pbx-admin.xyz.com
[8] 13:28:34.921    LYNC:    Done creating pbx-admin.xyz.com

[cwernstedt]

I upgraded to version 68.0.1 . Certificates are still not successfully updated.

I see "Could not retrieve directory from directory https://acme-v02.api.letsencrypt.org/directory  " in the log. 


 

[Vodia PBX]

Hmm, Going through my check list:

• Making sure that your root CA list is update (might have to press the Reset button at the bottom)
• Make sure your license is current, maybe make sure that you are in a recent (I would say anything above 67 should do)
• Make sure that port 80 is open
• Make sure that the DNS A address points to your PBX
• Make sure you are not using DNS for ACME challenge (unless you are using dnsmadeeasy, but even that could be a problem)
• Rename the domain address, then wait a second and rename it back