I’m running FreePBX 184.108.40.206 / Asterisk 13.29.2 behind a pfSense 2.4.4-RELEASE-p3 (amd64) firewall. I am trying to generate a Let’s Encrypt certificate from the FreePBX GUI. According to the FreePBX wiki:
This process requires port 80 access to your PBX from world. Ideally you would use System Admin, Port Management, to configure port 80 dedicated to Let's Encrypt renewal.
I have confirmed that the FreePBX firewall has been configured to use port 80 for dedicated Let’s Encrypt certificate renewal. In addition, FreePBX requires the following hosts to be permitted for inbound http access, and FreePBX has configured this automatically, per the following:
Firewall Validated LetsEncrypt requires the following hosts to be permitted for inbound http access: outbound1.letsencrypt.org, outbound2.letsencrypt.org, mirror1.freepbx.org, mirror2.freepbx.org These entries are correctly set up in the Firewall module. However, it's possible that other external firewalls may block access. If you are having problems validating your certificate, this could be the issue.
When I attempt to generate a new Let’s Encrypt Certificate in the FreePBX GUI, in addition to the geographical info (Country, etc, ) and the Challenge Over (HTTP Port 80) and an email address, there is only the Certificate Host Name, i.e., the hostname you are requesting a certificate for. Assume this hostname is 220.127.116.11 (not the real IP).
After the information above is added to the GUI, Let’s Encrypt will validate that this hostname resolves to this machine, and will attempt to connect to it. When I click “Generate New Let’s Encrypt Certificate” in the FreePBX GUI, I get the following error:
There was an error updating the certificate: Error 'Requested host ‘18.104.22.168 ’ could not be
resolved’ when requesting http://22.214.171.124//.freepbx-known/c871b62b2ca143c77474c5f12378fd58
If I disable the FreePBX firewall, and attempt to generate a new LE certificate as above, I get the same error, so I presume that the pfSense firewall is the issue.
My understanding is that FreePBX recommends when configuring the FreePBX firewall that their firewall shouldn’t be behind any other firewall (i.e., pfSense) and should be placed in the DMZ zone (In the past I have configured a home router to put a server in the DMZ to renew LE certs, a very simple procedure, and it has worked.)
Can someone describe how I can set up pfSense to put FreePBX in a DMZ? Or could they suggest setting up a firewall rule(s) in pfSense that will allow me to generate a Let’s Encrypt certificate?