Error when updating LetsEncrypt cert

Hi @Bradbpw
You don’t need to Disable PBX Firewall. Just you need to check some steps and allow ports from PBX Firewall.
1- Admin --> System Admin --> Port Management --> LE Port change Enable it to 80 --> PBX GUI Port HTTP(S) Enable HTTP-8080 and HTTPS-443
2- Connectivity --> Firewall --> Services --> Extra Services --> Let’s Encrypt Select --> Internet / Local and Other --> Save and Apply
3- Follow @jerrm steps.



I updated but it did not solve the problem.

[[email protected] ~]# fwconsole ma upgrade certman firewall --edge
Edge repository temporarily enabled
No repos specified, using: [standard,extended,commercial,unsupported] from last GUI settings

certman is the same as the online version, unable to upgrade
Downloading module ‘firewall’
Processing firewall
349477/349477 [============================] 100%
Finished downloading
Download completed in 1 seconds
Generating CSS…Done
Module firewall version successfully installed
Updating Hooks…Done
Updating Hooks…Done
Resetting temporarily repository state

I just disable the firewall to troubleshoot.

  • I have port 80 open for LE in port management
  • in the firewall services I have Internet/Local/Other enabled under LE

I’m still getting the same error.

Hi @Bradbpw
Pls try to check your FQDN name from WAN Leg. You must see your Router Public IP address.


Then you need to redirect Port 80 ( Port Forward or NAT) from Router Firewall --> To --> PBX Internal IP
I think your Router Firewall going to blocks LE Ip addresses ( and )



Here is the output. I do not see my router’s public IP address.

[[email protected] ~]# dig

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-16.P2.el7_8.6 <<>>
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 21629
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

; EDNS: version: 0, flags:; udp: 4096
; IN A

com. 899 IN SOA 1602515032 1800 900 604800 86400

;; Query time: 72 msec
;; WHEN: Mon Oct 12 10:04:13 CDT 2020
;; MSG SIZE rcvd: 115

I have port 80 forwarded in my router to my PBX

I tried disabling my router firewall altogether and still received the same error.

may i ask your PBX or LE FQDN name pls.

@Bradbpw pls check just in case below wiki page.

I just realized that I was supposed to put my FQDN in the “dig” command. Duh. When I do that I can see my router public IP address. I’d rather not post my FQDN on a public forum if I can avoid it.

I have LE and Sangoma mirror services in my PBX firewall as "trusted (excluded from firewall).

When I use an open port check tool it shows that my port 80 is closed. But it also shows that port 921 is closed and that’s my admin/GUI port and it’s definitely open. This has also been working fine for me for several years, I can’t recall that anything has changed in my network setup.

No Problem, I think now you should ENABLE FreePBX Firewall and add some changes on it.
1st - PBX Firewall check on the list

2nd - Check On Firewall → Services → Lets Encrypt Enable

What is forwarded and allowed through the gateway router?

LetsEncrypt queries can now come from anywhere on the internet. Specifying the just the two “outbound” servers is no longer adequate.

The router needs to forward port 80 for the entire internet.

I changed the firewall settings so the mirrors were “Local (Local Trusted Traffic)”. These were previously “trusted (excluded from firewall)”

I also updated my firewall services to what you showed.

I’m still getting the same error

My ISP is Mediacom. The signal comes in through a Technicolor docsis 3.1 gateway, that firewall is turned off. It then goes to my Asus RT-AC1750_B1 router, I have port 80 forwarded on the router to my PBX. It should forward all TCP traffic.

These entries are pointless now. Access to the entire web is required.

Is the LetsEncrypt service enabled under SysAdmin? Post the output of:

fwconsole sa ports

Pls check my screenshot which one @jerrm mentioned before.
Also pls check your PBX Hostname must be the same as a FQDN name. If not Let’s Encrypt doesn’t works. First you need to fix your PBX Hostname.



1 Like

I do have 80 open for LE

[[email protected] ~]# fwconsole sa ports
| Port | Name |
| 88 | restapps |
| 96 | restapi |
| 81 | ucp |
| 921 | acp |
| 84 | hpro |
| 80 | leport |
| disabled | sslrestapps |
| disabled | sslrestapi |
| 4443 | sslucp |
| 443 | sslacp |
| 1443 | sslhpro |

I did not have my hostname in System Admin > Hostname set the same as my LE cert. But I changed it to match the LE cert, rebooted the PBX and I’m still getting the error.

It does look like I’m having some issue with port 80.

[[email protected] ~]# dig

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-16.P2.el7_8.6 <<>>
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56446
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

; EDNS: version: 0, flags:; udp: 4096
; IN A


;; Query time: 0 msec
;; WHEN: Mon Oct 12 13:15:24 CDT 2020
;; MSG SIZE rcvd: 69

[[email protected] ~]# telnet 80
Trying ::1…
telnet: connect to address ::1: Connection refused
Connected to
Escape character is ‘^]’.
Connection closed by foreign host.
[[email protected] ~]#

Welp! I’m an idiot! I “fat fingered” the PBX IP address in my router when I forwarded port 80. I entered It should have been That fixed it.

I really appreciate all the help you guys gave me!

Be sure to close all the cracks opened up in testing for admin and letsencrypt…

Assuming you are using the latest edge versions of certman and firewall, NOTHING needs to be enabled on the services page for LetsEncrypt. The pinhole will be automatically opened up during an update request and closed when it completes.

1 Like

Thanks! Just to confirm, can I delete all 4 of these entries?


To test cert updates after tightening things down, run:

fwconsole certificates --updateall --force

If you successfully run the command too many times(4+) the LetsEncrypt server rate limits will temporarily block the cert renewal, but the error message makes it clear what’s happening. It’s mostly harmless, the existing certs continue to work and you can still request certs for new fqdns.

Thanks! I made the changes and confirmed everything still works.


Well Done @Bradbpw :slight_smile:

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.