Certbot Renewal Fails with Dynamic Portal

Support forum for the ViciBox ISO Server Install and ISO LiveCD Demo

Moderators: enjay, williamconley, Staydog, mflorell, MJCoate, mcargile, Kumba

Certbot Renewal Fails with Dynamic Portal

Postby vkad » Thu Aug 27, 2020 2:20 pm

As it is about time my web server issued a request to renew the SSL certificate using certbot, it failed spectacularly taking down all the agents on it.

The issue is the ACME servers cant access our server due to the dynamic portal.

How can we resolve this issue?

Thanks
Vicibox 8.0.1 (Asterisk 13.21.0-vici) + Remote WebRTC Agents
Version: 2.14b0.5 | SVN: 2990 | DB Version: 1548
1 x DB + Web + Dialer - E3 1270 v6 + 16gb ddr4 + 256gb SSD
2 x Additional Dialer - E3 1270 v6 + 8gb ddr4 + 256gb SSD
vkad
 
Posts: 204
Joined: Thu Nov 09, 2017 3:46 am

Re: Certbot Renewal Fails with Dynamic Portal

Postby carpenox » Thu Aug 27, 2020 4:42 pm

are you directing all traffic to port 81 or 446 for the dynportal? Is your firewall open to port 443 and 80?
2 x Intel Xeon X3450 at 2.66GHz | 16GB DDR4
ViciBox v9.0.3 | Version: 2.14-772a | BUILD: 201004-1045 | SVN Version: 3304 | DB Schema Version: 1608 | Asterisk 13.34.0
http://www.CyburityLLC.com -: 844-PC-SATA-2 - :- www.contactcentersRus.com
carpenox
 
Posts: 688
Joined: Wed Apr 08, 2020 2:02 am
Location: Coral Springs, FL

Re: Certbot Renewal Fails with Dynamic Portal

Postby williamconley » Thu Aug 27, 2020 8:46 pm

First:

Code: Select all
iptables -I INPUT 1 -j ACCEPT


Second:

Run the certbot renewal

Third:

Code: Select all
iptables -D INPUT -j ACCEPT


Of course, certbot shouldn't have broken anything if it was configured correctly ... unless you canceled in the middle and it was partially done. That could be awkward, I guess.
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: NonDisruptive Lead Loader for Enterprise Vicidial Clusters.
(IE: Keep on dialing even while loading large lists!)
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 19598
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

Re: Certbot Renewal Fails with Dynamic Portal

Postby Kumba » Fri Sep 11, 2020 2:16 am

So part of the problem is that the ACME servers come from a wide range of places. You're going to need to modify the certbot bash script so that is opens up the web ports to the whole internet, renews the cert, then closes the port. I'll work on modifying the certbot script so that it does this in the future.

In the mean-time, as a workaround, you would want to either create a bash script or modify the crontab so that it opens port 80 to the internet before running certbot and closes it after. Here's what that bash script would look like:

Code: Select all
#!/bin/bash
firewall-cmd --zone=public --add-service=http
/usr/bin/certbot -n --webroot renew >/dev/null 2>&1
firewall-cmd --zone=public --remove-service=http

You would then run this bash script in place of the certbot entry in the crontab.

You could also just put the firewall-cmd lines above in the actual crontab. You'd just put the first one before certbot and the second after after certbot in the cron just like how they're listed.
Kumba
 
Posts: 871
Joined: Tue Oct 16, 2007 11:44 pm
Location: Florida


Return to ViciBox Server Install and Demo

Who is online

Users browsing this forum: Google [Bot] and 15 guests