I have an error when trying to generate a Let’s Encrypt certificate:
LetsEncrypt Generation Failure
**Please check http://xxx.xxx.org/.well-known/acme-challenge/prEcn7xS6WPnyuyzrMz1MVsadXZ5l-m1JWFfdBz3ooI - token not available**
* The LetsEncrypt servers only send challenge queries to port 80. Certificate requests will fail if public access via port 80 is not available.
Processing: xxx.xxx.org, Local IP: xx.xx.xx.xx, Public IP: (same as local ip) Self test: trying http://xxx.xxx.org/.freepbx-known/5c4b5db3d9f55552a29a80cd5cc8b980 Self test: received
Port 80 is forwarded correctly as I’m able to reach my FPBX WebGUI from the Internet. Below this message is some text version of my main ISP router login web page. Why aren’t certificate generating servers able to reach that link?
Is that freepbx generated? I dont let freepbx destroy my ssl stuff, and do it outside ( since the UCP has its own virtual host here, but above, the two wanted paths are completely different, if you are doing this outside of freepbx, fix it up, or if you can, use DNS method.
If you’re generating this inside freepbx, ignore me and wait for someone whos more familiar with that method.
or if you want to use an acme client that does DNS01 or by any other method you prefer, to put the key and cert in /etc/asterisk/key (as .crt and .key) and either manually or using the gooey or fwconsole to ‘import’ and ‘set default’ them which satisfies FreePBX and it’s ‘integrations’ nicely, most modern acme clients have ‘hooks’ to do that automatically
I’m just using the option to generate a Let’s Encrypt certificate from FPBX Certificate Management module. So far as I understand it, the certificate is issued by Let’s Encrypt and but fails when their servers are trying to validate my domain (ddns based) for whatever reason.
I’ve been using your idea regarding acme from here and was eventually able to get my head around it and issue the certificates (–server zerossl, --dns dns_dynu).
The acme.sh installation (primarily it’s config directory) is relative to the current user’s home directory. It is important to run all acme.sh commands (including the cronjob) as the same user. It’s generally easiest to run acme.sh (always) as root, but running as non-root also works, if configured appropriately.
Then I suggest you reinstall acme.sh as root as the horse (Neil Pang) suggests. Then acme.sh --issue . . . . . , acme.sh --install-cert. there should be a cronjub runnung every 60 days that make the whole process transparent and automatic if you use can one of the over 150 --dns (provider) API’s although you can use --standalone if nothing else is listening on tcp:80 at the cost of not being able to rewrite http://mydomain.com to https://mydomain.com
Running as root solved the problem of missing rights, everything included in the command appears to be installed at the right path. However it now it seems that FreePBX still only sees the default certificate. Both fwconsole certificates --import and Cert Management > Import Locally commands throw the error: “Key is empty”. Have I missed something when requesting for the certificates to be generated?
Re-issued the certificates and had no more problems with keyfile. How do you create your certificates to get *.crt extension? Had to rename the *.cer to *.crt after installing them into /etc/asterisk/keys and only after that was it successfully imported by FreePBX.
With the risk of asking an extremely basic question, do I need to update any of the fields below?
the key and cert etc. are generated in .acme.sh/yourdomain.com/
so --install-cert . . . --cert-file /etc/asterisk/keys/yourdomain.com.crt --key-file /etc/asterisk/keys/yourdomain.com.key . . .
would work as would the more confusing for some --install-cert . . . --cert-file /etc/asterisk/keys/default.crt --key-file /etc/asterisk/keys/default.key . . .
If you use DNS-01 then no ports need to be opened, who provides your current name service? If it in .acme.sh/dnsapi/* then you should be using it for any number of reasons, if not, consider moving to cloudflare which can be free