Solved Lets Encrypt SSL certificate Renewed FAIL

Discussion in '3CX Phone System - General' started by Richard Apthorp, Aug 21, 2017.

Thread Status:
Not open for further replies.
  1. Richard Apthorp

    Joined:
    Aug 18, 2017
    Messages:
    5
    Likes Received:
    0
    Hi,

    Let's enrypt renewal is failing with the following error:
    Lets Encrypt SSL certificate was failed to renew. Error:
    PostInstall.LetsEncrypt.LetsEncryptRegistrationException: Network error
    at PostInstall.CertificateHelper.ProcessCertificatesDirectory(String directory, CloudServerStatus statuses, String appBin)
    at PostInstall.CertificateHelper.RenewCertificates(String appBin, String nginxConfigFolder, String configurationPath)​

    I assume this is a problem with my firewall configuration, we restrict communication both ways and have allowed communication with *.letsencrypt.org on ports 80 and 443. Is anything else needed, some posts on letsencrypt.org were suggesting direct dns communication?

    Is there a way to force the certificate renewal now so we can monitor the firewall for dropped packets etc.?

    Thanks, Richard.
     
  2. dab

    dab

    Joined:
    Nov 1, 2009
    Messages:
    67
    Likes Received:
    1
    Let's encrypt use:
    Code:
    acme-v01.api.letsencrypt.org
    You need double wildcard or just use the hostname above:)
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. Richard Apthorp

    Joined:
    Aug 18, 2017
    Messages:
    5
    Likes Received:
    0
    Thanks for the suggestion but the firewall allows anything with a * so pointing my web browser to the url above works.
     
  4. YiannisH_3CX

    YiannisH_3CX Support Team
    Staff Member 3CX Support

    Joined:
    May 10, 2016
    Messages:
    5,486
    Likes Received:
    357
    Do you also allow communication to activation.3cx.com? If not please do as this is required for licence and maintenance checks.
     
  5. Richard Apthorp

    Joined:
    Aug 18, 2017
    Messages:
    5
    Likes Received:
    0
    Hi,
    I have now added as per your suggestion so I have the following domains allowed:
    Code:
    erp.3cx.com
    downloads.3cx.com
    activation.3cx.com
    *.letsencrypt.org
    
    This definitely helped as I am now getting a different error:
    Code:
    Lets Encrypt SSL certificate was failed to renew. Error: System.AggregateException: One or more errors occurred. ---> PostInstall.LetsEncrypt.LetsEncryptRegistrationException: Lets Encrypt authorization status 'invalid'. Authorization not completed.   type : urn:acme:error:connection;  detail : DNS problem: NXDOMAIN looking up TXT for _acme-challenge.#########.3cx.co.uk;  status : 400
    
       at PostInstall.LetsEncrypt.LetsEncryptClient.<CompleteCertificateGeneration>d__13.MoveNext()
    
       --- End of inner exception stack trace ---
    
       at System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification)
    
       at PostInstall.LetsEncrypt.LetsEncryptClient.RegenerateCertificate(CertificateGenerationData certGenerationData, String keyFilePath, String csrFilePath, String domainName)
    
       at PostInstall.CertificateHelper.ProcessCertificatesDirectory(String directory, CloudServerStatus statuses, String appBin)
    
       at PostInstall.CertificateHelper.RenewCertificates(String appBin, String nginxConfigFolder, String configurationPath)
    
    ---> (Inner Exception #0) PostInstall.LetsEncrypt.LetsEncryptRegistrationException: Lets Encrypt authorization status 'invalid'. Authorization not completed.   type : urn:acme:error:connection;  detail : DNS problem: NXDOMAIN looking up TXT for _acme-challenge.#########.3cx.co.uk;  status : 400
    
       at PostInstall.LetsEncrypt.LetsEncryptClient.<CompleteCertificateGeneration>d__13.MoveNext()<---
    
    Thanks, Richard.
     
  6. YiannisH_3CX

    YiannisH_3CX Support Team
    Staff Member 3CX Support

    Joined:
    May 10, 2016
    Messages:
    5,486
    Likes Received:
    357
    Try settings the DNS of the PBX to google DNS if possible (8.8.8.8) then flushdns and restart all PBX services including the nginx service.
    And wait for it to try again
     
  7. Richard Apthorp

    Joined:
    Aug 18, 2017
    Messages:
    5
    Likes Received:
    0
    Changing the DNS is problematic as the firewall looks for our internal DNS servers making requests to valid firewall rules with wildcards.

    The PBX tried again last night and was successful.
     
  8. YiannisH_3CX

    YiannisH_3CX Support Team
    Staff Member 3CX Support

    Joined:
    May 10, 2016
    Messages:
    5,486
    Likes Received:
    357
    Glad to hear the certificate is now renewed and the issue is resolved. Did you make any changes to make this work?
    If yes please share as it will help someone else down the line
     
  9. Richard Apthorp

    Joined:
    Aug 18, 2017
    Messages:
    5
    Likes Received:
    0
    No adding the friewall rule for activation.3cx.com ports 80 and 443 as per your suggestion was the only change I made.
    Thanks for your help.
     
Thread Status:
Not open for further replies.