Certbot Renewal Fails with Dynamic Portal

Support forum for the ViciBox ISO Server Install and ISO LiveCD Demo

Moderators: enjay, williamconley, Staydog, mflorell, MJCoate, mcargile, Kumba

Certbot Renewal Fails with Dynamic Portal

Postby vkad » Thu Aug 27, 2020 2:20 pm

As it is about time my web server issued a request to renew the SSL certificate using certbot, it failed spectacularly taking down all the agents on it.

The issue is the ACME servers cant access our server due to the dynamic portal.

How can we resolve this issue?

Thanks
Vicibox 8.0.1 (Asterisk 13.21.0-vici) + Remote WebRTC Agents
Version: 2.14b0.5 | SVN: 2990 | DB Version: 1548
1 x DB + Web + Dialer - E3 1270 v6 + 16gb ddr4 + 256gb SSD
2 x Additional Dialer - E3 1270 v6 + 8gb ddr4 + 256gb SSD
vkad
 
Posts: 204
Joined: Thu Nov 09, 2017 3:46 am

Re: Certbot Renewal Fails with Dynamic Portal

Postby carpenox » Thu Aug 27, 2020 4:42 pm

are you directing all traffic to port 81 or 446 for the dynportal? Is your firewall open to port 443 and 80?
Leap 15.2 | Version: 2.14-815a | BUILD: 210615-1108 | SVN Version: 3456 | DB Schema Version: 1635 | Asterisk 16.17.0-vici
www.CyburityLLC.com -:- 844-PC-SATA-2 -:- My Blog: the.cyburhacker.com -:- Whatsapp: +19549477572 -:- Skype: live:carpenox_3
carpenox
 
Posts: 1362
Joined: Wed Apr 08, 2020 2:02 am
Location: Coral Springs, FL

Re: Certbot Renewal Fails with Dynamic Portal

Postby williamconley » Thu Aug 27, 2020 8:46 pm

First:

Code: Select all
iptables -I INPUT 1 -j ACCEPT


Second:

Run the certbot renewal

Third:

Code: Select all
iptables -D INPUT -j ACCEPT


Of course, certbot shouldn't have broken anything if it was configured correctly ... unless you canceled in the middle and it was partially done. That could be awkward, I guess.
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 19727
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

Re: Certbot Renewal Fails with Dynamic Portal

Postby Kumba » Fri Sep 11, 2020 2:16 am

So part of the problem is that the ACME servers come from a wide range of places. You're going to need to modify the certbot bash script so that is opens up the web ports to the whole internet, renews the cert, then closes the port. I'll work on modifying the certbot script so that it does this in the future.

In the mean-time, as a workaround, you would want to either create a bash script or modify the crontab so that it opens port 80 to the internet before running certbot and closes it after. Here's what that bash script would look like:

Code: Select all
#!/bin/bash
firewall-cmd --zone=public --add-service=http
/usr/bin/certbot -n --webroot renew >/dev/null 2>&1
firewall-cmd --zone=public --remove-service=http

You would then run this bash script in place of the certbot entry in the crontab.

You could also just put the firewall-cmd lines above in the actual crontab. You'd just put the first one before certbot and the second after after certbot in the cron just like how they're listed.
Kumba
 
Posts: 886
Joined: Tue Oct 16, 2007 11:44 pm
Location: Florida


Return to ViciBox Server Install and Demo

Who is online

Users browsing this forum: No registered users and 26 guests