Lets Encrypt SSL Cert for 3CX

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: aps.east.3cx.us

I ran this command: I did not run a command but the 3CX is automatically trying to renew the SSL Cert but the underlying OS is Windows 7 so it is not working.

It produced this output: The SSL Cert is not renewing because of the Windows 7 and we are getting an error about it trying too many times in a weeks period and now the cert is disabled or removed. I just need to see if that week period can be temporarily extended or the error cleared when we go to swap the server out for a Windows 10 machine her in the next few days or week. That way the 3CX install will complete properly.

My web server is (include version): 3CX V16 SP7

The operating system my web server runs on is (include version): Windows 7 but is going to be replaced with a Windows 10

My hosting provider, if applicable, is: onsite server not hosted in cloud at all

I can login to a root shell on my machine (yes or no, or I don't know): N/A

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No just 3CX

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): No client just 3CX

2 Likes

Welcome to the Let's Encrypt Community, Daniel :slightly_smiling_face:

You are most certainly successfully acquiring certificates for aps.east.3cx.us as you have hit the duplicate certificate limit of 5 certificates with the exact same SANS (in any order) in any 7-day period. This means that you have a certificate installation issue, not a certificate acquisition issue. Hopefully you have at least one of the certificates you have acquired (and its private key) saved somewhere on your server.

2 Likes

The problem coincides with new R3 issuances:

So either:

  • the system is unable to handle the new R3 intermediate and rejects the newly obtained cert
  • the system is not using the new R3 intermediate and rejects the newly formed cert/chain (based on previous X3 intermediate)

Which client does it use to get/renew certs?

1 Like

Yeah I think the issue has to do with the server running Windows 7 as we are seeing this same issue with all of our remaining Windows 7 3CX Servers. Something in that OS that it does not like. What really kills me is that since we have this issue and we are being blocked by Lets Encrypt for too many attempts, when we go to replace the Windows 7 Server with a supported Windows 10 server and we attempt the 3CX installation the FQDN creation, SSL Cert creation and test fails because of the lock out. So we are unable to continue the 3CX install on the new Windows 10 server. I was hoping there was a way to clear that lock out right before we do the server replacement so that the 3CX install will complete and this issue will no longer be an issue as the server will now be Windows 10 going forward.

1 Like

I am not sure what client is being used as it is all handled in the coding of the 3CX software. I do not do any of the SSL Cert renewing myself. Its an automated process in the 3CX software. But the server running this is Windows 7 and that seems to be the issue here. And even though we are trying to replace the server with a Windows 10 server we are unable to because of the lock out by Lets Encrypt from the failed Windows 7 machine attempts.

1 Like

Keep in mind that you are successfully acquiring certificates, which means that there's a configuration issue on your server with using the certificates. I have a sneaking suspicion that this has nothing to do with your operating system, but has everything to do with the recent transition to the R3 intermediate certificate and your software having the Let's Encrypt Authority X3 intermediate certificate "pinned", which is causing your software to reject the new certificates. See here, which matches the screenshot from @rg305 above.

1 Like

So the reason I dont think its a software issue, other than the software not liking the Windows 7 OS, is because the software, i.e 3CX, is using the newest version that other customers are using fine on Windows 10 with no issues. We only see the issue with 3CX on Windows 7. Either way I dont really care why the issue is happening I am looking for a way to clear the block so that way when we replace that server with Windows 10 the install will complete getting past the SSL cert block error. Is there anyway Lets Encrypt can do that for me or is there a portal I can login to at Lets Encrypt to manage that myself?

1 Like

There's no way to "clear" the rate limit. There is a means to bypass it, but that won't help much in the current situation.

1 Like

Hello @djaskulski,

I'm sorry but no, I'm afraid you must wait at least until Fri Jan 15 06:44:00 UTC 2021 (better a couple of hours later 08:44 to be sure) to be able to issue a new cert for domain aps.east.3cx.us.

Cheers,
sahsanu

1 Like

Thank you I was hoping there would be but was not optimistic.

1 Like

Yeah the issue with that is the 3CX is automatically trying to renew the cert every day at 12:00 and 6:00 in the morning and according to 3CX that cannot be stopped. So each day the cert tries to renew and fails again resetting that counter it seems.

1 Like

Check to see if your software has something like a "cacert" or "cabundle" or "chain" file sitting on your server. Replacing that file with the correct intermediate certificate (R3), while not a long-term solution, would immediately resolve the issue you've been facing. If you do find the file I'm referencing to change, its contents should match the old intermediate certificate (Let's Encrypt Authority X3).

1 Like

It's not resetting a counter, per se. You've either acquired too many certificates or the window clears so you successfully acquire a certificate. This isn't like a password prompt. If you have a recent certificate and private key sitting on your server, you can likely fix this issue immediately.

1 Like

See that is the issue. I don't have access to the cert, its all controlled by the 3CX software internally itself. They ask for and create the cert not me specifically. I could search the server but what's there is there I wont have access to anything else other than what is on the server.

If you can't or don't want to address this yourself, I recommend contacting 3CX and pointing them at this thread.

2 Likes

I will see if they will but likely they wont. They do not support Windows 7 at all. Hence why we are trying to get these people on Windows 10. Everything works fine on Windows 10 machines. Thank you for the help.

1 Like