Cannot issue Let's encrypt certificate


(Lucas Ryan) #33

Hi Andrew. I actually installed FreePBX 13. It’s the same version/firmware version as I installed a couple of weeks ago, where it worked perfectly. Glad to hear you’ll be looking into it.

Thanks!


(Andrew Nagy) #35

Here is the issue for anyone interested. https://github.com/analogic/lescript/issues/33


(Andrew Nagy) #37

The issue I linked to above notes that it started failing around November 15th. The fix will come soon

Also FreePBX 15 is not even alpha.


(Martijn de Jong) #38

For what it is worth, i wanted to add that we also have the same issue on 2 new installations (hyper-v and vultr). Deleting the _accounts folder does nothing, DNS is correct, no firewall issue.Last test was today.

How /when do we get a update for this? Must it come trough the module update system? I created a new bug report (#FREEPBX-16302) because i could not find one for this issue:


(Andrew Nagy) #39

The update will be through the module admin system


(Andrew Nagy) #40

certman version 13.0.36.11

This module has been published and is now in the “edge” track

To enable the edge track, go to “Advanced settings and set “Set Module Admin to Edge mode” to “Yes”

Then go to module admin and click “Check Online”. Note this will show updates for ALL modules in the edge track. Update the module(s) relevant to your issue.

Once finished go to “Advanced settings and set “Set Module Admin to Edge mode” to “No”

You may also upgrade from the command line with "fwconsole ma --edge upgrade MODULENAME"
replacing MODULENAME with the modules rawname which can be seen in “fwconsole ma list”

Please feel free to test and verify your issue is fixed.

This module will be pushed to the Stable repo as soon as it meets the criteria for transition.


Let's encrypt error:No registration exists matching provided key
(Asterisk Administrator) #41

This is for @tm1000 - I had to start a new post because it wouldn’t let me reply more than 3 times to the current thread…

Just FYI - the fix appears to work only after deleting the “/etc/asterisk/keys/_accounts” directory.

Wanted to give you feedback so you can adjust accordingly…

And thanks for getting this fixed and posted so quickly!

[post merged with existing thread - mod]


(Lucas Ryan) #42

@tm1000 I can confirm the same. This edge module works, but you are required to delete the “/etc/asterisk/keys/_accounts” directory as mentioned by @WiringSolutions.

Thanks so much for this quick fix. Greatly appreciated!


#43

Confirmed fix as well. thanks


(Martijn de Jong) #44

Installed Certificate Manager version 13.0.36.11 from edge. It did not resolve the issue, but after deleting the direcotry “/etc/asterisk/keys/_account/” and resubmitting the request it went trough. Issue solved!

Thanks for fixing this!


#45

Good to know.
I had the same issue today on fresh installed SNG7 Systems!


#46

Thanks Alex. Deleting /etc/asterisk/keys/ _account fixed the issue.


(Jose Muanes Pinto) #47

I have a Freepbx 13 with Centos 6.9, and I get the Let’s Encrypt Certicate, since I have my Cloud Server with my domain - hddlab.com.br - ok. After I get the Certicate (using SSH) I receive a message that the certicate was ok and that I could get in my FreePbx using https://hddlab.com.br but this was not possible because Firefox give a message that I was not able to get in because of the certicate, I add an exception and than I could get in my Freepbx. So in the Admistrator module I choose the Certificate Manager and I tryed to get my Let’s Encrytp certificate ( already made the upgrade of Certman to the last version) and I was not able to generate it, I’m receiving this message: “There was an error updating the certificate: Error ‘Requested ‘http://hddlab.com.br//.freepbx-known/b890a9e909c19e36b4b4c410e0d371d7’ - couldn’t connect to host’ when requesting http://hddlab.com.br//.freepbx-known/b890a9e909c19e36b4b4c410e0d371d7

I already tryed to get help at Certbot community but they say that they do not know how to fix this, also they ask me to come here and try to get a help because they already get thsi problem with others users.

Thank you very much for your time and attention

Someone here could give me a help?


(Andrew Nagy) #48

You need to allow access from your host on port 80 to the lets encrypt servers. I have tried to connect to your host right now with no luck


(Jose Muanes Pinto) #49

Hi tm1000,
First of all thank you very much for your answer.
Ok, You only can get in hddlab.com.br if I get the ip that you are using and free it in my iptables until this no chance to get in, sorry but I can free your IP, there is no problem.
Second I only was able to get the Certicate using the SSH process after I make a virtual port 80, this Is ok including as I say before I have the certificate as you can see here: https://crt.sh/?id=325545522.
I talk at Certbot community with Brad Warren and Seth Schoen during 4 days trying to solve some others problems including the Virtual port 80 that I solve using a tutorial from Digital Ocean.
They say (at Certbot comunity) this:.well-known” não é invenção nossa. É um padrão estabelecido pelo RFC 5785 para criar recursos com significados especiais nos servidores web. The message is in portuguese because Seth can write and read portuguese and I’m Brazilian.
The message says: “well-known” is not our invention (Certbot0-EFF). Is a standard that is at RFC 5785 to let create resources with special means at web servers.
So I have the certicate but at same time I haven’t since I can not use it with Freepbx.

Ps: Seth Schoen is Certbot EFF engineer and he wrote this for me: " I’m curious about the solution because other users here have asked about the same thing, but I do not have much relevant knowledge to try to solve it."


(Andrew Nagy) #50

I understand that but you’d have to also open up access for the lets encrypt servers as well

There is no SSH process that works with freepbx. If you generated the certificate through SSH that is outside the scope of freepbx. You’d need to upload those certificates into freepbx.


(Jose Muanes Pinto) #51

@tm1000 Thanks again
Ok I understand what you say.
To learn a few more, can you tell me how I can import the certificate to the Freepbx GUI? As I already made it using the Let’s Encrypt site shows and you know that they has instruction to us to be used with the SSH not GUI.


(Andrew Nagy) #52

https://wiki.freepbx.org/display/FPG/Certificate+Management+User+Guide#CertificateManagementUserGuide-UploadCertificate


(Jose Muanes Pinto) #53

Hi tm100,
Thank you very much for your attention time and help.
I will try it
Regards


#54

Yes, this is old, but it still seems to be an issue.

Now using Certificate manager 13.0.39, am getting same error,
Also tried removing the /etc/asterisk/keys/_account folder.

In addition, another recent thread was opened on this: