I’m receiving this error when trying to update my LetsEncrypt certificate:
There was an error updating the certificate: Operation timed out after 30001 milliseconds with 0 out of -1 bytes received
I have port 80 forwarded to my PBX in my router. I also disabled my router firewall and my PBX firewall to troubleshoot. Neither solved the problem. Has anyone else run into this?
Hi @Bradbpw
You don’t need to Disable PBX Firewall. Just you need to check some steps and allow ports from PBX Firewall.
1- Admin --> System Admin --> Port Management --> LE Port change Enable it to 80 --> PBX GUI Port HTTP(S) Enable HTTP-8080 and HTTPS-443
2- Connectivity --> Firewall --> Services --> Extra Services --> Let’s Encrypt Select --> Internet / Local and Other --> Save and Apply
3- Follow @jerrm steps.
[root@freepbx ~]# fwconsole ma upgrade certman firewall --edge
Edge repository temporarily enabled
No repos specified, using: [standard,extended,commercial,unsupported] from last GUI settings
certman is the same as the online version, unable to upgrade
Downloading module ‘firewall’
Processing firewall
Downloading…
349477/349477 [============================] 100%
Finished downloading
Extracting…Done
Download completed in 1 seconds
Generating CSS…Done
Module firewall version 13.0.60.15 successfully installed
Updating Hooks…Done
Updating Hooks…Done
Resetting temporarily repository state
I just disable the firewall to troubleshoot.
I have port 80 open for LE in port management
in the firewall services I have Internet/Local/Other enabled under LE
Hi @Bradbpw
Pls try to check your FQDN name from WAN Leg. You must see your Router Public IP address.
dig fqdn_name.com
Then you need to redirect Port 80 ( Port Forward or NAT) from Router Firewall → To → PBX Internal IP
I think your Router Firewall going to blocks LE Ip addresses ( outbound1.letsencrypt.org and outbound1.letsencrypt.org )
I just realized that I was supposed to put my FQDN in the “dig fqdn_name.com” command. Duh. When I do that I can see my router public IP address. I’d rather not post my FQDN on a public forum if I can avoid it.
I have LE and Sangoma mirror services in my PBX firewall as "trusted (excluded from firewall).
When I use an open port check tool it shows that my port 80 is closed. But it also shows that port 921 is closed and that’s my admin/GUI port and it’s definitely open. This has also been working fine for me for several years, I can’t recall that anything has changed in my network setup.
My ISP is Mediacom. The signal comes in through a Technicolor docsis 3.1 gateway, that firewall is turned off. It then goes to my Asus RT-AC1750_B1 router, I have port 80 forwarded on the router to my PBX. It should forward all TCP traffic.
@Bradbpw
Pls check my screenshot which one @jerrm mentioned before.
Also pls check your PBX Hostname must be the same as a FQDN name. If not Let’s Encrypt doesn’t works. First you need to fix your PBX Hostname.
I did not have my hostname in System Admin > Hostname set the same as my LE cert. But I changed it to match the LE cert, rebooted the PBX and I’m still getting the error.
It does look like I’m having some issue with port 80.
Welp! I’m an idiot! I “fat fingered” the PBX IP address in my router when I forwarded port 80. I entered 192.138.x.xxx. It should have been 192.168.x.xxx. That fixed it.
I really appreciate all the help you guys gave me!
Be sure to close all the cracks opened up in testing for admin and letsencrypt…
Assuming you are using the latest edge versions of certman and firewall, NOTHING needs to be enabled on the services page for LetsEncrypt. The pinhole will be automatically opened up during an update request and closed when it completes.
To test cert updates after tightening things down, run:
fwconsole certificates --updateall --force
If you successfully run the command too many times(4+) the LetsEncrypt server rate limits will temporarily block the cert renewal, but the error message makes it clear what’s happening. It’s mostly harmless, the existing certs continue to work and you can still request certs for new fqdns.