Cannot issue Let's encrypt certificate

Seeing exactly the same here -

“There was an error updating the certificate: HTTP Challenge for pbx.xxxxxxxxxxxx.com is not available. Whole response: {“type”:“urn:acme:error:unauthorized”,“detail”:“No registration exists matching provided key”,“status”:403}”

This isn’t a firewall problem - a packet capture shows traffic flowing on ports 80 and 443 when the server is asked to generate the letsencrypt certificate.

Part of the traffic on port 80 is : “HTTP: GET /lechecker.php?host=pbx.xxxxxxxxxx.com&path=%2F.freepbx-known%2F340e85b586e8847c082d885e45260e45&token=340e85b586e8847c082d885e45260e45&type=http HTTP/1.1”

After that there’s traffic on port 443 which is encrypted so I can’t tell what’s going on there.

This is a fresh install - no existing certs on it.

FreePBX 14.0.1.20
Sys admin 14.0.7.30

Same problem! There is nothing wrong with domain, DNS, firewall and so on.
Log says “GET /.freepbx-known/7213d65753813e0e12279bb60e586cd6 HTTP/1.1” 200 32 “-” "-"
Obviously bug. And it’s annoying, because I see multiple reports about the same problem for last few years.

I 've been fighting this exact issue on a Vultr.com VPS. Deploy server Two weeks ago working fine. Deploy server this week getting same error. Redeploy the server but no luck with this.

Thanks Andrew for replying, however I’m none the wiser as to where this leaves us.

Is it a FreePBX problem that can be fixed? Does a bug report need creating? Is it a Let’sEncrypt problem?

This used to work reliably in my purchased SysAdmin module but no longer does, even after several attempts at re-install.

A status update would be appreciated. Thanks.

Got the same issue

There was an error updating the certificate: HTTP Challenge for voip.utelit.com is not available. Whole response: {"type":"urn:acme:error:unauthorized","detail":"No registration exists matching provided key","status":403}

No firewall at all, DNS works ok with FQDN. After reading this thread I am unsure of how to fix it the problem. Any suggestions?

Thanks

So I looked into this a bit. That error is from LE’s side and FreePBX is not the only one having issues. If you look in LE’s forums (the only place you can get support BTW) people are getting this same error. I think more importantly and kinda what @tm1000 was pointing at (maybe?), is that this problem isn’t new. This is a problem LE has had on and off over the last couple years.

There is also this new feature set they are getting ready to offer publicly in less than 60 days so who knows what that is doing to their side of things. Sadly this is a free project that has no real support or seems to be offering any support. Someone posted about this issue on their forums, they claim it’s FreePBX’s issue but yet others not using FreePBX are having the same exact errors happening. I highly doubt this is the FOSS projects issue when various FOSS projects using LE are having the same issue reported by their users.

Having the exact same issue on trying to get a brand new install setup. Have checked the LE forums as well but the Let’s Encrypt admins are saying its an issue with FreePBX and are directing people here???

Probably not the issue, but I had a problem because, in Sysadmin, I changed the HTTP (admin) insecure port to something other than 80. Every time I need to renew Letsencrypt, I have to change it back to 80 temporarily.

LE renewal should still work if you have one of the other http services (restapps, provisioning, etc) on port 80.

Is there a manual workaround to this?

I’ve read the articles about deleting directories (/etc/keys/_account), etc, etc…

Tried that - but unfortunately that didn’t work either…

This issue is brand new for me within the last 2-3 weeks. I’ve done this many times before using the Certificate manager within FreePBX and never had an issue. Something changed.

If you installed a 14 system and it doesn’t work by you previously had it working on 13 then yes. The Entire system changed. We will be looking into this issues shortly

Hi Andrew. I actually installed FreePBX 13. It’s the same version/firmware version as I installed a couple of weeks ago, where it worked perfectly. Glad to hear you’ll be looking into it.

Thanks!

Here is the issue for anyone interested. https://github.com/analogic/lescript/issues/33

The issue I linked to above notes that it started failing around November 15th. The fix will come soon

Also FreePBX 15 is not even alpha.

3 Likes

For what it is worth, i wanted to add that we also have the same issue on 2 new installations (hyper-v and vultr). Deleting the _accounts folder does nothing, DNS is correct, no firewall issue.Last test was today.

How /when do we get a update for this? Must it come trough the module update system? I created a new bug report (#FREEPBX-16302) because i could not find one for this issue:

The update will be through the module admin system

certman version 13.0.36.11

This module has been published and is now in the “edge” track

To enable the edge track, go to “Advanced settings and set “Set Module Admin to Edge mode” to “Yes”

Then go to module admin and click “Check Online”. Note this will show updates for ALL modules in the edge track. Update the module(s) relevant to your issue.

Once finished go to “Advanced settings and set “Set Module Admin to Edge mode” to “No”

You may also upgrade from the command line with "fwconsole ma --edge upgrade MODULENAME"
replacing MODULENAME with the modules rawname which can be seen in “fwconsole ma list”

Please feel free to test and verify your issue is fixed.

This module will be pushed to the Stable repo as soon as it meets the criteria for transition.

1 Like

This is for @tm1000 - I had to start a new post because it wouldn’t let me reply more than 3 times to the current thread…

Just FYI - the fix appears to work only after deleting the “/etc/asterisk/keys/_accounts” directory.

Wanted to give you feedback so you can adjust accordingly…

And thanks for getting this fixed and posted so quickly!

[post merged with existing thread - mod]

1 Like