FreePBX 17 Responsive FW keeping LetsEncrypt port 80 open

I am using Let’s Encrypt for a FreePBX cert. FreePBX’s LE Responsive Rules are enabled. My understanding is that port 80 will be opened only during a cert renewal period.

However, more than 12 hours after a successful cert renewal, port 80 remains open. curl’s from a public IP receive a response:

$ curl mypbx.mydomain.com shows…

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access this resource.</p>
</body></html>

If I place a test file in the LE challenge folder, that file is successfully served:

$ curl -i mypbx.mydomain.com/.freepbx-known/test.txt shows…

HTTP/1.1 200 OK
Date: Wed, 23 Oct 2024 09:28:15 GMT
Server: Apache
Last-Modified: Wed, 23 Oct 2024 09:28:08 GMT
ETag: "15-6252180f9846b"
Accept-Ranges: bytes
Content-Length: 21
Content-Type: text/plain

this is only a test

Repeated requests will eventually trigger fail2ban to block that IP.

Is this behaviour expected?

I figured this out, eventually. In case someone else runs into this issue, here’s what happened:

I had initial problems geting the Let’sEncrypt cert generation to work. That problem was related by my network’s firewall, not FreePBX’s FW. While I was working on that, I manually modified /etc/hosts on FreePBX to point the FQDN of my FreePBX site to the public IP of my network.

During FreePBX installation, and when you update FreePBX’s hostname in Admin → System Admin → Hostname, FreePBX sets both the host address and the FQDN for the pbx to localhost or 127.0.0.1 in /etc/hosts.

I haven’t poked around in FreePBX’s FW rules to see why my change would basically defeat the FW.

TL;DR Don’t manually modify /etc/hosts on FreePBX.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.