As most of you who are using LetsEncrypt certificates might already know, Lets Encrypt started enforcing their policy of using Multi-Perspective Validation, meaning LetsEncrypt certificate creation/validation may come from any source IP address.
Our former FreePBX firewall and certificate manager functionality of handling LetsEncrypt validation was insufficient to handle the new LetsEncrypt Multi-Perspective Validation behaviour properly because:
1) Simply white listing specific source IPs is no longer sufficient to allow creation/validation of LetsEncrypt Certificates. Global inbound access is now required for the Let’s Encrypt validation tokens.
2) LetsEncrypt validation is only possible on port 80, which forces the user to dedicate port 80 for LetsEncrypt purposes or risk exposing critical services to untrusted traffic.
To overcome the current situation, we have introduced new features to the Firewall and Certificate Manager modules.
Firewall module changes:
The new enhancement allows users to safely use port 80 for Let’s Encrypt validation while also using it for another service with restricted access. Users can continue to use port 80 for whatever Apache service they wish, and protect that service with suitable firewall rules. This new firewall feature allows world access only to the LE token folders, and only when enabled.
You can see a new configuration option, “LetsEncrypt Rules” under “Firewall -> Advanced Settings” has been added to give the flexibility for the users to enable/disable global access to the Let’s Encrypt token directories on port 80.
By default the “LetsEncrypt Rules” parameter is disabled, and should remain disabled for most configurations.
In addition, there are newly added CLI commands which perform the same functionality as the “LetsEncrypt Rules” GUI option from the backend allowing the LE rules to be enabled and disabled via scripts.
fwconsole CLI changes:
- fwconsole firewall restart
- Restarts the firewall. (Equal : disable, stop and start)
- fwconsole firewall lerules enable / disable
- Enable : Apply Letsencrypt rules and restart the firewall.
- Disable: Remove Letsencrypt rules and restart the firewall.
Certificate Manager module changes:
We have added logic to Certificate Manager so that whenever you click on Generate/Update LetsEncrypt certificate, the system automatically enables the firewall “LetsEncrypt Rules” temporarily during the certificate generation/update process and disables “LetsEncrypt Rules” once the process is complete. This will reduce the user’s effort on enabling and/or disabling “LetsEncrypt Rules” from the firewall module.
FreePBX 13 – Firewall v188.8.131.52, Certman v13.0.42
FreePBX 14 – Firewall v184.108.40.206, Certman v14.0.9
FreePBX 15 – Firewall v220.127.116.11, Certman v15.0.25
We encourage you to send us feedback so that we can continue to improve this functionality. Please provide feedback by raising issues to our open source bug tracking system, or submit feature requests or improvements to enhance this functionality further.
- Franck Danard
- Lorne Gaetz
- Sandesh Prakash
Thank you for using FreePBX.