FreePBX in a DMZ with pfSense

I’m running FreePBX 14.0.13.26 / Asterisk 13.29.2 behind a pfSense 2.4.4-RELEASE-p3 (amd64) firewall. I am trying to generate a Let’s Encrypt certificate from the FreePBX GUI. According to the FreePBX wiki:

This process requires port 80 access to your PBX from world. Ideally you would use 
System Admin, Port Management, to configure port 80 dedicated to Let's Encrypt renewal.

I have confirmed that the FreePBX firewall has been configured to use port 80 for dedicated Let’s Encrypt certificate renewal. In addition, FreePBX requires the following hosts to be permitted for inbound http access, and FreePBX has configured this automatically, per the following:

Firewall Validated
LetsEncrypt requires the following hosts to be permitted for inbound http access:
outbound1.letsencrypt.org, outbound2.letsencrypt.org, mirror1.freepbx.org, mirror2.freepbx.org
These entries are correctly set up in the Firewall module. However, it's possible that other 
external firewalls may block access. If you are having problems validating your certificate, 
this could be the issue.

When I attempt to generate a new Let’s Encrypt Certificate in the FreePBX GUI, in addition to the geographical info (Country, etc, ) and the Challenge Over (HTTP Port 80) and an email address, there is only the Certificate Host Name, i.e., the hostname you are requesting a certificate for. Assume this hostname is 64.64.64.64 (not the real IP).

After the information above is added to the GUI, Let’s Encrypt will validate that this hostname resolves to this machine, and will attempt to connect to it. When I click “Generate New Let’s Encrypt Certificate” in the FreePBX GUI, I get the following error:

There was an error updating the certificate: Error 'Requested host ‘64.64.64.64 ’ could not be
resolved’ when requesting http://64.64.64.64//.freepbx-known/c871b62b2ca143c77474c5f12378fd58

If I disable the FreePBX firewall, and attempt to generate a new LE certificate as above, I get the same error, so I presume that the pfSense firewall is the issue.

My understanding is that FreePBX recommends when configuring the FreePBX firewall that their firewall shouldn’t be behind any other firewall (i.e., pfSense) and should be placed in the DMZ zone (In the past I have configured a home router to put a server in the DMZ to renew LE certs, a very simple procedure, and it has worked.)

Can someone describe how I can set up pfSense to put FreePBX in a DMZ? Or could they suggest setting up a firewall rule(s) in pfSense that will allow me to generate a Let’s Encrypt certificate?

Do you have port 80 open? Not just from the mentioned IPs. You need to allow it from everywhere.

@PitzKey The NAT firewall rule in pfSense looks like this:
Interface: WAN Protocol: TCP
Source address: * Source Ports: 80 (HTTP)
Dest. Address: WAN address Dest. Ports: 80 (HTTP)
NAT IP: 172.16.0.175 NAT Ports: 80 (HTTP)
Description: Let’s Encrypt Port 80 (required)

I don’t think the NAT Rule should have “Source Ports: 80”. The request will come from a port > 1024 with a Destination Port of 80. Set the source port to any and see if that works.

@gsiemon After changes, the NAT firewall rule in pfSense looks like this:
Interface: WAN Protocol: TCP
Source address: * Source Ports: *
Dest. Address: WAN address Dest. Ports: 80 (HTTP)
NAT IP: 172.16.0.175 NAT Ports: 80 (HTTP)
Description: Let’s Encrypt Port 80 (required)

When I generate a new LE cert, I see the same error:

There was an error updating the certificate: Error ‘Requested host ‘64.64.64.64’ could not be resolved’ when requesting http://64.64.64.64//.freepbx-known/ef898724e51d5c68fd42938fb44672e5

Are you trying to get a certificate for an ip address?

I’m trying to generate a certificate for Zulu.

Again, “Are you trying to get a certificate for an ip address?”

Is there a dns name that resolves to 64.64.64.64 ?

As I said above, 64.64.64.64 is not the real address. If I run NSLOOKUP on the real FQDN, this does resolve to the public IP address of my FreePBX.

And you are requesting a certificate for the FQDN?

If I use www.myfqdn.com to generate the cert (instead of 64.64.64.64), here is the error message:

There was an error updating the certificate: Verification timed out

Well, you can’t get a certificate for an IP address so stop trying.
A few days ago letsencrypt fulfilled their promise to use un-announced hosts for the source of their challenges so, so turn off all your firewalls and forward ALL 80/TCP traffic arriving at 64.64.64.64 to your PBX while trying to renew.

Sorry if I’m missing something, but doesn’t this forward all 80/TCP traffic to my PBX?

Interface: WAN Protocol: TCP
Source address: * Source Ports: *
Dest. Address: WAN address Dest. Ports: 80 (HTTP)
NAT IP: 172.16.0.175 NAT Ports: 80 (HTTP)
Description: Let’s Encrypt Port 80 (required)

I’s more that LetsEncrypt is missing being able to send and receive traffic to your PBX’ webserver and that the webserver can PUT and GET without hinder;-)

Disable ALL firewalling, both the pfsense and any thing on the PBX , only keep the forwarding rules.

@dicko Thanks, that did it. FYI, I disabled the FreePBX firewall and used www.myfqdn.com to generate the certificate, and I have a new certificate.

As I said a few weeks before, much appreciated.

As a point of interest, who handles your DNS?

One question this brings up. According to the FreePBX wiki, Let’s Encrypt certs are supposed to be automatically re-generated when the time for renewal comes up. I’m guessing this won’t happen with my current firewall setup.

I use No-IP for my DNS.

I can’t speak for FreePBX, but most of the ACME ‘clients’ have hooks built in for open/closing things as necessary, you should probably wait for Sangoma to fix their ‘client’ to use ACMEv2 for new setups and allow challenges from anywhere and have the firewall co-operate.

As an FYI, pfSense includes an optional ACME package designed to automate the Let’s Encrypt certificate renewal process. I’ll have to investigate this.