• V20: 3CX Re-engineered. Get V20 for increased security, better call management, a new admin console and Windows softphone. Learn More.

Solved 3cx supplied SSL renewal issue

Status
Not open for further replies.

seegreen

Customer
Intermediate Cert.
Joined
Mar 19, 2009
Messages
14
Reaction score
1
Hi,

Recently upgraded the license on an install from standard to pro (using the same 3cx FQDN).

Had to restart the (Debian) server to make sure all new features became enabled, but otherwise all good.

However since upgrade I'm getting errors re the SSL can't renew. This is a 3cx supplied let's encrypt SSL.

The error I'm getting is:

Event Notification Manager ID: 50011
SSL Certificate renewal has been failed. Error: IpUpdater.FqdnGenerationException: Can not create FQDN in 600 seconds at PostInstall.CertificateHelper.ProcessCertificatesDirectory(String directory, Boolean temporaryCertificateGenerated, CloudServerStatus statuses, Int32 regenerateCertificateExiredInDays, String appBin, UInt16 sipPort, UInt16 tunnelPort) at PostInstall.CertificateHelper.RenewCertificates(String appBin, String nginxConfigFolder, String configurationPath)

I've checked the server can connect to activation.3cx.com and letsencrypt.org without any issues.

It's been running fine up until license upgrade (although possible this could be a coincidence)

Server is locally installed Hyper V server.

Any thoughts?

Dave.
 
Just to update, this has happened 3 nights in a row, so whilst not impossible I've ruled out a problem at let's encrypt's end.
 
Same problem here on Windows 10 host. Version: 15.5.13103.5
I'm gonna restart the host tonight to give a try.
 
Hi Nicolas,

Be interested to know how you get on, I will of course keep this thread up to date if it rectifies itself.

I have already done a full virtual power cycle of the guest OS, but that didn't fix it. I guess if a number of people have been having same problems over last few days it could point the finger back at let's encrypt.

Lets keep each other posted. Wonder if anyone at 3cx support has any inside info on availability of let's encrypt systems over last few days.

I also wonder if there is a command we can issue to force another attempt to update certificate as opposed to having to wait another 24 hours.

Also be interesting to know what is actually happening when the certificate renews, is there a restart of all the services on the PBX or is it just reloading config (like a web server).

Cheers,

Dave.
 
Should have mentioned, also on Version: 15.5.13103.5
 
Hello,

Can you please let the system try tonight as well and let me know of the results?
 
Hi Yiannis,

No problem, will do.

Will provide an update either way in the morning.

Best Regards,

David.
 
  • Like
Reactions: YiannisH_3CX
I rebooted the 3CX host last night but still get the same error.

HTTPS Certificate renewal Failed - Error:

IpUpdater.FqdnGenerationException: Error creating FQDN: 2153405: Lets Encrypt authorization status 'invalid'. Authorization not completed. type : urn:acme:error:dns; detail : DNS problem: NXDOMAIN looking up TXT for _acme-challenge.clientname.3cx.ch; status : 400 : ; LetsEncrypt: 2153405: Lets Encrypt authorization status 'invalid'. Authorization not completed. type : urn:acme:error:dns; detail : DNS problem: NXDOMAIN looking up TXT for _acme-challenge.clientname.3cx.ch; status : 400

à PostInstall.CertificateHelper.ProcessCertificatesDirectory(String directory, Boolean temporaryCertificateGenerated, CloudServerStatus statuses, Int32 regenerateCertificateExiredInDays, String appBin, UInt16 sipPort, UInt16 tunnelPort)

à PostInstall.CertificateHelper.RenewCertificates(String appBin, String nginxConfigFolder, String configurationPath)

Any change on your side David ?
Regards.

Nicolas
 
I'm running 2 installations of 3CX on our office-branches and while 1 renewed perfectly the other one is giving the exact same problem as Nicolas V is showing. Mine is running on Windows too with version 15.5.13103.5

HTTPS Certificate renewal Failed - Error:
IpUpdater.FqdnGenerationException: Error creating FQDN: 2155029: Lets Encrypt authorization status 'invalid'. Authorization not completed. type : urn:acme:error:dns; detail : DNS problem: NXDOMAIN looking up TXT for _acme-challenge.anonimized.3cx.ch; status : 400 : ; LetsEncrypt: 2155029: Lets Encrypt authorization status 'invalid'. Authorization not completed. type : urn:acme:error:dns; detail : DNS problem: NXDOMAIN looking up TXT for _acme-challenge.anonimized.3cx.ch; status : 400
at PostInstall.CertificateHelper.ProcessCertificatesDirectory(String directory, Boolean temporaryCertificateGenerated, CloudServerStatus statuses, Int32 regenerateCertificateExiredInDays, String appBin, UInt16 sipPort, UInt16 tunnelPort)
at PostInstall.CertificateHelper.RenewCertificates(String appBin, String nginxConfigFolder, String configurationPath)

I restarted all 3CX services in the hope it would trigger a certificate renewal, but I guess it is scheduled to somewhere around 5 AM - so that didnt work either.
 
I have had the same email error message for the last 2 nights. Running on Windows 10. Rebooted yesterday after the first error email but got same error email last night.
 
Hi,

I can confirm mine failed again this morning (05:49), this was the email i received from the pbx advising of such:

I have replaced the part of the URL that contains our pbx with 'mypbx' in the text below for privacy reasons.

I've done DNS lookups on _acme-challenge.mypbx.3cx.co.uk for a few of the pbx's we manage but can't find text records for any of them.

Does this help?

Subject - Renewal for SSL Certificate for mypbx.3cx.co.uk failed

HTTPS Certificate renewal Failed - Error:
IpUpdater.FqdnGenerationException: Error creating FQDN: 2156243: Lets Encrypt authorization status 'invalid'. Authorization not completed. type : urn:acme:error:dns; detail : DNS problem: NXDOMAIN looking up TXT for _acme-challenge.mypbx.3cx.co.uk; status : 400 : ; LetsEncrypt: 2156243: Lets Encrypt authorization status 'invalid'. Authorization not completed. type : urn:acme:error:dns; detail : DNS problem: NXDOMAIN looking up TXT for _acme-challenge.mypbx.3cx.co.uk; status : 400
at PostInstall.CertificateHelper.ProcessCertificatesDirectory(String directory, Boolean temporaryCertificateGenerated, CloudServerStatus statuses, Int32 regenerateCertificateExiredInDays, String appBin, UInt16 sipPort, UInt16 tunnelPort)
at PostInstall.CertificateHelper.RenewCertificates(String appBin, String nginxConfigFolder, String configurationPath)
 
After 2 failed renewals I'm happy to report the system managed to renew the SSL-certificate correctly tonight. I did restart all 3CX-Services yesterday, so I don't know if that fixed it or it was just a temporary problem, but in my case the problem is solved.
 
Ours also renewed successfully last night after failing the two previous nights. No change was made at our end so issue or fix must have been outside of our control.
 
Agreed, ours also renewed successfully last night.

Interestingly I can now see a valid TXT entry on our 3cx supplied domain -

_acme-challenge.mypbx.3cx.co.uk (again I have replaced out specific url with 'mypbx')

So I'm guessing as this is a 3cx issued domain record an error crept into 3cx's let's encrypt provisioning system (or is this record somehow generated by the instance of 3cx that's running)

Perhaps 3cx support could confirm? Would just be interesting to know the root cause.

Regards,

Dave.
 
Glad to see the issue has been resolved. What you run into seemed to be an error that was related to an issue on Google DNS, preventing ERP to create relevant records necessary for certificate renewal / issuing which seems to have been fixed since yesterday morning.
 
  • Like
Reactions: seegreen
@Nicolas V.

Can you please confirm if the issue is fixed for you or not?
 
Thanks Yiannis,

That would make sense.

Regards,

David.
 
Status
Not open for further replies.

Getting Started - Admin

Latest Posts

Forum statistics

Threads
141,622
Messages
748,860
Members
144,737
Latest member
damiano giannini
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.