Failure in creating Let's Encrypt certificate

Hello all,

I have an error when trying to generate a Let’s Encrypt certificate:

LetsEncrypt Generation Failure

**Please check http://xxx.xxx.org/.well-known/acme-challenge/prEcn7xS6WPnyuyzrMz1MVsadXZ5l-m1JWFfdBz3ooI - token not available**

* The LetsEncrypt servers only send challenge queries to port 80. Certificate requests will fail if public access via port 80 is not available.

Processing: xxx.xxx.org, Local IP: xx.xx.xx.xx, Public IP: (same as local ip) Self test: trying http://xxx.xxx.org/.freepbx-known/5c4b5db3d9f55552a29a80cd5cc8b980 Self test: received

Port 80 is forwarded correctly as I’m able to reach my FPBX WebGUI from the Internet. Below this message is some text version of my main ISP router login web page. Why aren’t certificate generating servers able to reach that link?

Thank you

Is that freepbx generated? I dont let freepbx destroy my ssl stuff, and do it outside ( since the UCP has its own virtual host here, but above, the two wanted paths are completely different, if you are doing this outside of freepbx, fix it up, or if you can, use DNS method.

If you’re generating this inside freepbx, ignore me and wait for someone whos more familiar with that method.

1 Like

or if you want to use an acme client that does DNS01 or by any other method you prefer, to put the key and cert in /etc/asterisk/key (as .crt and .key) and either manually or using the gooey or fwconsole to ‘import’ and ‘set default’ them which satisfies FreePBX and it’s ‘integrations’ nicely, most modern acme clients have ‘hooks’ to do that automatically

I’m just using the option to generate a Let’s Encrypt certificate from FPBX Certificate Management module. So far as I understand it, the certificate is issued by Let’s Encrypt and but fails when their servers are trying to validate my domain (ddns based) for whatever reason.

I’ve been using your idea regarding acme from here and was eventually able to get my head around it and issue the certificates (–server zerossl, --dns dns_dynu).


But can’t actually use them with FPBX because the install command doesn’t work:

acme.sh -i --cert-file /etc/asterisk/keys/yourdomain.com.crt --key-file /etc/asterisk/keys/yourdomain.com.key --fullchain-file /etc/asterisk/keys/yourdomain.com.pem --reloadcmd "fwconsole cert --updateall;fwconsole reload; systemctl reload apache2" -d yourdomain.com

verify it got put there and is the only *.crt/*.key there and is the default one

ls -la /etc/asterisk/keys/*
fwconsole cert --list

there is only the FPBX-generated default certificate there as the command to install the certificates didn’t work:

Do I need to run this command as root? My created certificate is *.cer format.

Thanks!

…/.acme.sh/mydomain.com/mydomain.com.conf

should reflect paths and a base64 version of reloadcommand, you can best modify it by running


acme.sh --install-cert

with paths and --reloadcommand which must be double quoted. I use

--reloadcmd "fwconsole certificate --import; fwconsole certificate --default=mydomain,com;systemctl reload mywebserver"

as to root, this from the horses mouth

The acme.sh installation (primarily it’s config directory) is relative to the current user’s home directory. It is important to run all acme.sh commands (including the cronjob) as the same user. It’s generally easiest to run acme.sh (always) as root, but running as non-root also works, if configured appropriately.

the paths in conf file look ok

unable to run the command due to lack of rights

Then I suggest you reinstall acme.sh as root as the horse (Neil Pang) suggests. Then acme.sh --issue . . . . . , acme.sh --install-cert. there should be a cronjub runnung every 60 days that make the whole process transparent and automatic if you use can one of the over 150 --dns (provider) API’s although you can use --standalone if nothing else is listening on tcp:80 at the cost of not being able to rewrite http://mydomain.com to https://mydomain.com

1 Like

Will try this next

Running as root solved the problem of missing rights, everything included in the command appears to be installed at the right path. However it now it seems that FreePBX still only sees the default certificate. Both fwconsole certificates --import and Cert Management > Import Locally commands throw the error: “Key is empty”. Have I missed something when requesting for the certificates to be generated?

the certificate must be /etc/asterisk/keys/yourdomain.com.crt , the key file /etc/asterisk/keys/yourdomain.com.key

After they are installed you will need a one-time fwconsole cert import (fwconsole cert --help)

Re-issued the certificates and had no more problems with keyfile. How do you create your certificates to get *.crt extension? Had to rename the *.cer to *.crt after installing them into /etc/asterisk/keys and only after that was it successfully imported by FreePBX.
With the risk of asking an extremely basic question, do I need to update any of the fields below?

the key and cert etc. are generated in .acme.sh/yourdomain.com/
so
--install-cert . . . --cert-file /etc/asterisk/keys/yourdomain.com.crt --key-file /etc/asterisk/keys/yourdomain.com.key . . .
would work as would the more confusing for some
--install-cert . . . --cert-file /etc/asterisk/keys/default.crt --key-file /etc/asterisk/keys/default.key . . .

Thanks! Didn’t pay attention before…
What ports do I need to open for the certificate renewal to be successful?

If you use DNS-01 then no ports need to be opened, who provides your current name service? If it in .acme.sh/dnsapi/* then you should be using it for any number of reasons, if not, consider moving to cloudflare which can be free

1 Like

I’m using dynu. So far it’s been working fine.

And adding to .acme.sh/acme.sh.env

export Dynu_ClientId="your dynuclientid"
export Dynu_Secret="your dynusecret"

and adding --dns dns-dynu to calls to acme.sh

correct ?

yup, already done it but I’ve placed Dynu_ClientId and Dynu_Secret into .acme.sh/account.conf. Cert creation was ok.