Let’s Encrypt servers validate control the domain names for requested certificate using “challenges,” as defined by the ACME standard. It supports both HTTP-01 and DNS-01 challenge.
It seems FreePBX supports HTTP-01 challenge only. This substantially complicates things in cases when PBX is set behind NAT and there is already service that uses port 80 (which is mandatory to be used for HTTP-01 challenge.
That is what DNS-01 challenge is used for. It does not require callbacks to any ports as domain ownership is verified through DNS.
It seems adding support for DNS-01 challenge is not complicated. All FreePBX has to do is, when it receives token from Let’s Encrypt, shows that token to user so user can set TXT record in DNS.
It’s not. You do realize that without proper support from the DNS service or a custom API for your own DNS…you’ll be re-issuing your certs manually since each renewal/re-issue will generate a new DNS-01 challenge you have to update in your zone file and then complete the renewal in the system once it propagates.
very briefly, your zone file with have an ephemeral TXT record to prove authority this will be removed within seconds after . . .
DNS-01 will in cooperation with one of over 100 name services using the scripted API, the certs will be in.acme.sh/dns.name.com, with no interaction with the pbx, just the ‘nane server’ you can import them comfortably with “freepbx certs . .” added as a ‘post script’ within acme.sh
In what way doesn’t it work? If you don’t use one of the built in API and you are using your own DNS servers when you trigger your cert you need to add --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please which will then kick back an acme challenge text.
It doesn’t just automatically put it in your random DNS servers zone file. It would need access to do such a thing, so you need an API to do so.
Once you add said _acme-challenge TXT record to your DNS and it propagates you then can run --renew -d $domain --force which will trigger to validate the TXT record in the DNS.
Once that is done, then you can move the certs, key or pem files to the location where you will be using them.
Now there are a wide range of DNS providers that the community added support for in Acme.sh but unless you’re using one of those…you need to make the automation of updating your DNS records as needed happen.
We have some time for that but it will start getting shorter.
Until March 15th 2026 - 398 days expire time
March 15th 2026 - 200 days expire time
March 15th 2027 - 100 days expire time
March 15th 2029 - 45 days expire time
I understood that DNS has to be set just once, for initial generation of certificate.
Now I see they made it complicated on level of unusable, even worse than using HTTP-01 chalenge.
It’s never been just once. It’s each re-issue of a cert including renewals. It’s literally what happens with HTTP-01 too. They resend tokens each time you request a new or renew a cert.
At Namecheap you can get five years’ worth of one year certificates for $30. It will be the best money you ever spent and you only have to deal with cert replacement once a year.
That seems to imply that once a year will apply for more than one cycle, but, assuming the figures given above are correct, and browsers enforce the rules (which I think is the intent), the frequency will double after the first year, double again after the second, and more than double after the fourth.
I’m not sure if the figures represent the the checks on expiry times, when using the certificates, or the limits on them when creating, or updating. In the former case, a certificate issued now will probably need to be renewed by March 15th, next year. In the latter case, it will last to mid-July.
Sadly that is no longer true as per the time line in my previous post. Up until March 15th 2026, certs can be issued with 398 days expiry. By this time next year, your cert will have 200 days expiry. Within five years, we’ll be updating certs every 45 days.
The days listed are expiry of the cert. For the next 9 months (roughly) a cert can be issued with a maximum expiry of 398 days. If your certs are good past March 15th 2026, you will not have to suddenly re-issue it on that day. The expiry will be valid until it expires.
FreePBX has been behind-the-times with its ACME implementation for years, and now we’ve got some real trouble. The world is moving on and no one is going to want to cobble together scripts or do certificate stuff by hand so an obvious question @penguinpbx and anyone else who sets priorities for FreePBX/PBXact development… is any work being done on this? Looks like we will need something like acme.sh that provides several options and something that would work with registrar APIs would be great too.