Certificate requests for systems on the same subnet fail


#1

we are using FreePBX from Sangoma and have several servers on the same public subnet. the issue we are seeing is that as soon as one pbx on the subnet has successfully gotten a Let’s Encrypt certificate, requests from all other pbx’s on that same public subnet fail. the error we see is “There was an error updating the certificate: array_reduce() expects parameter 1 to be array, null given”. so my question is (and i have posed the same question to Sangoma) is whether the error is related to the fact that the pbx’s are on the same public subnet. Do we need to get a different kind of cert, possibly one that we load into all the servers on the same subnet?


#2

Perhaps a Sangoma bug of some sort? Hopefully they can help you to diagnose if the problem is solely with FreePBX or if there is some underlying Let’s Encrypt error occurring and if so what that is.

Let’s Encrypt won’t care about your network topology decisions, so long as a PBX has a Fully Qualified Domain Name on the Public Internet, Let’s Encrypt is in principle able to issue a certificate for that name. I do not think, based on what you’ve said that you will need a “different kind of cert”.

Let’s Encrypt does have some rate limits, to protect the service for everybody to use - but I can’t imagine you’ve tripped those with just one PBX - https://letsencrypt.org/docs/rate-limits/


#3

i am not yet smart enough about certificates to know if what i am trying to do will work. i think it is a bug, but don’t know where. what i do know is that i can successfully get a Let’s Encrypt certificate for one PBX on the same subnet but trying to get another for a different system on the same subnet will fail. for example

customer1.bkss.net is at x.y.z.20
customer2.bkss.net is at a.b.c.20

i can successfully get certificates for both systems.

however if i add customer3.bkss.net at x.y.z.25 (same subnet as customer1) then the certificate request will fail.

i am stuck and don’t know how to move forward. they suggested i sign up with Start SSL and get a certificate that i can use on multiple servers.


#4

What you’re asking for should work.

I appreciate that for you the priority is to get this working, and I can’t blame you if you find that signing up with Start SSL is faster in this circumstance.

The error message you describe “There was an error updating the certificate: array_reduce() expects parameter 1 to be array, null given” seems to come from FreePBX, not Let’s Encrypt, and so they’re best placed to help directly, but volunteers like me would be happy to try to help their development team if they bring questions here too of course.


#5

In regards to using one certificate on multiple servers in essence there’s no difference between Let’s Encrypt or StartSSL (when not a wildcard certificate). Just make sure all the required hostnames are in the SubjectAltNames field of the certificate.


#6

i will check with sangoma to see if their interface supports entering multiple host names. if not is there a way i can get a certificate directly from your site


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.