Been working through this for hours, here is what I have verified.
System time matches BIOS/UEFI time
I have my PBX Public IP in my DNS settings in my GoDaddy account as an A record pointing to the IP of the PBX (my PBX is on one of my public IP’s, and, yes I know the risks, so please don’t go off topic telling me about all the security risks, I know them already), I am just looking for help trying to get the cert to generate.
The A record I’ve set up is getting to the PBX, but I get an access denied error when I try to access it since I have moved HTTPS to port 80 (I feel like this has something to do with it because I can access the PBX when I revert the port changes and put HTTP back on port 80, but then it won’t let me generate the cert.
There is a firewall in front of it, but I am not blocking anything on that firewall; I am relying on the firewall built into FreePBX. So, yes, I am using the firewall module in FreePBX.
Have you done any packet captures during the process? Can you confirm that LE is sending an incoming request to you? Are outbound1.letsencrypt.org and outbound2.letsencrypt.org in the firewall?
As far as I can tell, it is sending the requests to me. I have tried it with both firewalls off, just as a test, and it still returns the same error. It seems almost identical to the issue @adekock11 was having. Even the same error he had is also in my PCAP file.
Create a file in /var/www/html/.freepbx-known/test
Run wget -O output.txt https://mirror1.freepbx.org/lechecker.php?host=[YOUR DNS]&path=/.freepbx-known/test&token=test&type=http
Check output.txt and you see the error:
<br />
<b>Fatal error</b>: Uncaught Error: Class "Pest" not found in /var/www/rework/html/lechecker.php:46
Stack trace:
#0 {main}
thrown in <b>/var/www/rework/html/lechecker.php</b> on line <b>46</b><br />
This error is received directly from the script on https://mirror1.freepbx.org/lechecker.php. The Pest_Json_Decode error comes from the fact that the script should be returning JSON, but because it returns a traceback, there is a JSON decode error.
PS: That wget command is just simulating what happens in the updateLE() function on FreePBX.
Hi @kgupta, thank you for your response. The traceback on mirror1.freepbx.org is no longer there. However, my initial returns a false status.
{"status":false,"ip":"[DNS].","message":"Requested host '[DNS]' could not be resolved"}
Now, I don’t want to share the [DNS] here, but when I check http://[DNS]/.freepbx-known/test with a normal browser, it does work, indicating all is correct on my end. It could be a second issue on the lechecker.php but let me do a few more tests to confirm that.
Looks like we are unable to resolve your DNS/Host and we are getting DNS as hostname (as shown in the error message) so check your system hostname settings please.
Hi @kgupta, I did a few more tests and there are a few instances, all with different DNS, and they all return the same error. If there was an issue with the DNS as hostname as you suggest, then why does it work when I visit the same URL in my browser? If the issue was on my side, I think both http://mirror1.freepbx.org and a normal browser would return the same error. Essentially the lechecker.php also visits the URL the same way as a normal browser would.
Hi @kgupta, the host being printed is the same as the DNS. As far as I can see, the self test succeeds and then it fails at the lechecker.php step. If I comment the step involving lechecker.php my certificate is issued without any issues, meaning even the LetsEncrypt server can reach the server without issues.
Maybe let’s wait and have @llbcjosh also test to confirm if he is seeing the same result. The main issue of lechecker.php has been fixed, so thank you for that.
I tried this morning and was able to get it to go through. I dug a little deeper into my firewall and found that threat prevention was blocking the requests. After I allowed them in threat prevention, it successfully completed.
But… After the cert change, my voicemail to email has stopped working? Any ideas why?
Hi, this seems the firewall issue or could be of port please try putting HTTP back on port 80 in FreePBX → Admin → System Admin → Port Management.
At least temporarily while you request/renew the certificate.
Make sure your firewall/router forwards external port 80 → PBX port 80.
After the certificate is successfully generated, you can:
Leave HTTP on 80 (simplest), or
Move HTTP to a different port, but then you’ll need to temporarily restore port 80 again every time the cert auto-renews.
I hope this will be helpful for you
