You don’t need to Disable PBX Firewall. Just you need to check some steps and allow ports from PBX Firewall.
1- Admin --> System Admin --> Port Management --> LE Port change Enable it to 80 --> PBX GUI Port HTTP(S) Enable HTTP-8080 and HTTPS-443
2- Connectivity --> Firewall --> Services --> Extra Services --> Let’s Encrypt Select --> Internet / Local and Other --> Save and Apply
3- Follow @jerrm steps.
[root@freepbx ~]# fwconsole ma upgrade certman firewall --edge
Edge repository temporarily enabled
No repos specified, using: [standard,extended,commercial,unsupported] from last GUI settings
certman is the same as the online version, unable to upgrade
Downloading module ‘firewall’
349477/349477 [============================] 100%
Download completed in 1 seconds
Module firewall version 126.96.36.199 successfully installed
Resetting temporarily repository state
I just disable the firewall to troubleshoot.
I have port 80 open for LE in port management
in the firewall services I have Internet/Local/Other enabled under LE
I just realized that I was supposed to put my FQDN in the “dig fqdn_name.com” command. Duh. When I do that I can see my router public IP address. I’d rather not post my FQDN on a public forum if I can avoid it.
I have LE and Sangoma mirror services in my PBX firewall as "trusted (excluded from firewall).
When I use an open port check tool it shows that my port 80 is closed. But it also shows that port 921 is closed and that’s my admin/GUI port and it’s definitely open. This has also been working fine for me for several years, I can’t recall that anything has changed in my network setup.
My ISP is Mediacom. The signal comes in through a Technicolor docsis 3.1 gateway, that firewall is turned off. It then goes to my Asus RT-AC1750_B1 router, I have port 80 forwarded on the router to my PBX. It should forward all TCP traffic.
Pls check my screenshot which one @jerrm mentioned before.
Also pls check your PBX Hostname must be the same as a FQDN name. If not Let’s Encrypt doesn’t works. First you need to fix your PBX Hostname.
Be sure to close all the cracks opened up in testing for admin and letsencrypt…
Assuming you are using the latest edge versions of certman and firewall, NOTHING needs to be enabled on the services page for LetsEncrypt. The pinhole will be automatically opened up during an update request and closed when it completes.
To test cert updates after tightening things down, run:
fwconsole certificates --updateall --force
If you successfully run the command too many times(4+) the LetsEncrypt server rate limits will temporarily block the cert renewal, but the error message makes it clear what’s happening. It’s mostly harmless, the existing certs continue to work and you can still request certs for new fqdns.