Cannot issue Let's encrypt certificate


(Lucas Ryan) #1

I just installed a new FreePBX box (10.13.66-21) and cannot issue a new Let’s Encrypt certificate. I receive the error below. I tested on another install as well with the same issue. Is anyone else having this issue?

There was an error updating the certificate: HTTP Challenge for DOMAIN.COM is not available. Whole response: {“type”:“urn:acme:error:unauthorized”,“detail”:“No registration exists matching provided key”,“status”:403}


Cannot issue Let’s encrypt certificate
#2

I doubt that you are authoritative over DOMAIN.COM ;-), you need to arrange for a fqdn outside of asterisk/FreePBX to point to your server


(Lucas Ryan) #3

:slight_smile: I should have been clear. I removed the fqdn from the error message that I posted. The fqdn is a valid address, and I am currently using that fqdn to access the web interface of the PBX.


#4

Then your fqdn “as is” is not replying on port 80 to the challenge from letsencrypt.com , check your firewall


(Lucas Ryan) #5

These are my firewall settings that relate to Let’s encrypt.


#6

Apparently that doesn’t work, you need to fix that

letsencrypt needs your fqdn to reply directly on port 80 and the entity at your fqdn that replies MUST be your server at question.


(Lucas Ryan) #7

Changing the zone temporarily to Trusted doesn’t work either. These are the rules that get created automatically with the Certificate manager. These are the rules that have also worked in the past. Do you have any specific recommendations as to how to proceed/fix this?


#8

No, that would be one for whoever does your firewall management and your DNS service, it needs to both accept the connection and reply appropriately, (which should be your local letsencrypt script)


(Lucas Ryan) #9

This example is on a cloud hosted VPS, with no other firewall, other than the built in firewall that is installed when I install the FreePBX image. On the FreePBX server, I am pointing to Google’s DNS 8.8.8.8. My DNS registrar has the correct information in regards to fqdn and associated IP address. Are you suggesting to contact the VPS provider and see if anything is being blocked at their location?


#10

No, I have no knowledge of your firewall, and personally I don’t use any Sangoma suggested or supplied one, as such I have never had a problem with letsencrypt, please wait for a sangoma guy to answer


(Tom Ray) #11

The fact that there is a log of this means the Firewall didn’t block anything. That is a 403 Forbidden error and it states that “No registration exists matching provided key”. That’s a pretty clear error reason.

Have you made sure your key works? It’s registered properly with them? Looking at the firewall has nothing to do with this.


(Lucas Ryan) #12

Thanks for the further details @BlazeStudios . Crossing things off the list at least. My only experience with the Let’s Encrypt Certbot/Cert Manager is through the FreePBX GUI. I literally just make sure my domain name is correct, and put in the country/state in the GUI, and it has always “automagically” worked. How would I go about verifying that the key works and is properly registered with them?


(Tom Ray) #13

I don’t use them but I would assume you have some sort of an account with them for this.


#14

There is no account nor assumption of any sort involved, if you have a fqdn and it resolves back to your machine and there is no block on http traffic it will always work, that is is it’s essential purview , if anything gets in the way of that dialog, then you have to fix that.

I would point out that AFTER a certificate has been issued then you will then need port 443 open to maintain and renew it, (that should be a duh!)


(Andrew Nagy) #15

Let’s encrypt does not renew over port 443 like it does over port 80 (HTTP-01). Port 443 renewals are what’s called an TLS-SNI-01 challenge. in that case it has to change the actual certificate to return the authorization key temporarily inside of the self signed self generated certificate utilizing RFC6066. In keeping with freepbx open source standards and security it is not something freepbx supports as it would require restarting apache and changing certificates temporarily on the fly. Something freepbx should not have control over without something like incrond. Therefore freepbx only supports HTTP-01 challenge types. Even after you have a certificate. So opening up port 443 to let’s encrypt is irrelevant in the freepbx case. If you use certbot then you are on the cli already and don’t have to worry about freepbx security issues (web to cli as root user)

[quote] A client responds to this challenge by constructing a self-signed
certificate which the client MUST provision at the domain name
concerned in order to pass the challenge.

The certificate may be constructed arbitrarily, except that each
certificate MUST have exactly two subjectAlternativeNames, SAN A and
SAN B. Both MUST be dNSNames.[/quote]

https://tools.ietf.org/html/draft-ietf-acme-acme-03#section-7.3


#16

As I said, I don’t use the “FreePBX” firewall nor any commercial modules, IWFM though as stated, so the answer to the OP is ?


(Lucas Ryan) #18

Another test I suppose would be to use another FreePBX install, and try to generate a new certificate using another, completely separate domain name.

Is there any way to see if my domain name is “blocked” or restricted in anyway with Let’s Encrypt?


(Jeff Williamson) #19

I’ve been fighting this exact issue on a Vultr.com VPS. No firewalls on Vultr until you manually add one. I tried disabling FreePBX firewall, confirmed there are no banned ips under intrusion detection. I’ve had no issue when using the Cyberlink hosted freepbx servers. This is my first booting from ISO for full module support VPS. Maybe it is a bug since I installed the latest version. I’m running 14.0.1.19 on Asterisk 15.0.0. What are your versions?

Edit: Confirmed Cyberlink hosted FreePBX is running FreePBX 10.13.66-20 SP1 on Asterisk 11.25.1.


#20

Seeing exactly the same here -

“There was an error updating the certificate: HTTP Challenge for pbx.xxxxxxxxxxxx.com is not available. Whole response: {“type”:“urn:acme:error:unauthorized”,“detail”:“No registration exists matching provided key”,“status”:403}”

This isn’t a firewall problem - a packet capture shows traffic flowing on ports 80 and 443 when the server is asked to generate the letsencrypt certificate.

Part of the traffic on port 80 is : “HTTP: GET /lechecker.php?host=pbx.xxxxxxxxxx.com&path=%2F.freepbx-known%2F340e85b586e8847c082d885e45260e45&token=340e85b586e8847c082d885e45260e45&type=http HTTP/1.1”

After that there’s traffic on port 443 which is encrypted so I can’t tell what’s going on there.

This is a fresh install - no existing certs on it.

FreePBX 14.0.1.20
Sys admin 14.0.7.30


(Neolo) #21

Same problem! There is nothing wrong with domain, DNS, firewall and so on.
Log says “GET /.freepbx-known/7213d65753813e0e12279bb60e586cd6 HTTP/1.1” 200 32 “-” "-"
Obviously bug. And it’s annoying, because I see multiple reports about the same problem for last few years.