FreePBX with LE Certificate Installed Still not Secure

I’m setting up a Sangoma FreePBX server and after struggling a while with DNS a-records and FQDNs I finally got the letsencrypt certificate to install. I’ve got it set as the default certificate and installed in the HTTPS setup section in the sysadmin module.

However, when I access the server through the FQDN I’m still getting the message in my browser bar that the connection is still not secure.

I realize I’m way out of my depth here, but I haven’t been able to figure out how to solve this after retracing my steps to make sure I haven’t missed anything several times. Is there something simple I’m missing here, or is there a problem with my network setup in general that’s likely causing this?

After getting the TLS cert, you must set it as default in Certificate Management and then browse to System Admin, https setup to set the TLS cert for apache.

1 Like

I’ve completed all these steps. Just redid them, just to make sure it wasn’t user error, but still getting the same results.

try opening the page in Incognito / Private mode

Same results there. I had tried the in the past as well wondering if it had something to do with my browser. I’ve tried on multiple computers (all with IPs I’ve listed as trusted in the firewall settings) with the same results.

If I attempt to access through https://[myFQDN].com I get a message that the site can’t be reached, but if it’s a ports issue I’m not sure what I could do differently there either. I’ve tried opening up several different ports in case it was communicating on a port I wasn’t expecting.

Not having an issue with a different CA. Could this be a LE issue? Have you checked on their side?

I haven’t been able to find any information from LE that would point to the source of this error. I’m leaning towards a problem with my network setup (and lack of understanding of that), but that’s probably beyond my ability to troubleshoot if this isn’t a common issue for a mistake others have made.

I’m pretty far out of my depth as far as setting this all up myself (wrong kind of engineer), but I’m afraid to turn to paid support so soon since too many times of doing that down the road and we would probably just be better off with a service like vonage, which i’m really hoping to avoid.

Also I maybe should mention I used the youtube tutorial from crosstalk as a guide to set this up. It’s probably for someone with a little more understanding than me, so it’s entirely possible that it glossed a step or something that’s a no brainer or that an IT professional would have already done and I just wouldn’t realize.

It would be hard to guess for anyone to guess. I recommend following the guide, or engaging a SME for support.

https://wiki.freepbx.org/display/F2/Certificate+Management+User+Guide

take a look at your fqdn , compare to cert

what about it is being reported as invalid by your browser ? i know in chrome you can click on the bad bad cert notification and then view the cert … whats reported as the problem ???

does the certs common name in the error dialogue match the fqdn you plugged into the browser ? are you even seeing the LE cert ?

If it didn’t report an error in the Certificate Manager module and the FQDN has been ticked by you, manually unselecting the default, make sure you have then clicked Install/Import in SysAdmin Https Settings.

Also check SysAdmin > Port Management. Port 443 (Default) should be open for https to the Admin.

I assume that you are trying to access the FreePBX admin GUI. If something else, please explain.

I assume that you can access the admin page, but are getting a warning from your browser (which?). If some other problem (can’t connect at all, viewing wrong page, etc.) please provide details.

I assume that the URL in your browser address bar starts with https: If not, what happens when you attempt to open the https URL?

When you click on the lock at the left of the address bar, can you view the certificate? If not, what happens? If yes, what is wrong with it (not LetsEncrypt, expired, for wrong domain name, revoked, etc.)?

Yes correct that I’m trying to access the GUI. For what it’s worth this instance is PBXact, but I don’t know that should make a difference (my understanding was the only difference was that it comes with more module licenses).

Now that I look at this a little closer I don’t think that chrome is even seeing the LE cert. It’s not a notification that the certificate is bad, it looks like it’s just not finding it at all.

When I attempt to access the page through https I get an error that the site can’t be reached/refused to connect.

I’ve got 443 open as well, I’ve kept all the default settings in the port management.

(I do realize that troubleshooting remotely with only part of the information is probably like playing darts with your eyes close, or even worse. I appreciate all the help.)

If it’s not something that others have seen and it’s a face-palm type of solution for something I’m doing wrong it sounds likely that I’ll end up just needing to pay for support, which I’m not entirely opposed to.

Does anyone have a rough guess for how many hours per year a freepbx system will likely need professional attention. We don’t have anyone dedicated IT (which is why I’m the yokel messing around with it), so just having an idea from people who work on these systems like you folks might help me prepare and budget a bit.

I don’t use LE (because they keep changing their IP addresses and I do not want my server to be open to the wold) but you could try cheap domain validation SSL like:


You could validate the certificate by email address or DNS. Their chat support helped me install the SSL.

Though many here were able to install LE if you do not mind some troubleshooting.

I’m not opposed to paying for a certificate, but I wouldn’t want to resort to that while still having no understanding what the problem is. Seems all too likely I’ll end up in the same place with a lighter wallet (even if it is just a few bucks).

When you attempt to access the GUI via HTTPS in Chrome, what error is shown at the bottom of the page? I would expect something like ERR_CONNECTION_TIMED_OUT or ERR_CONNECTION_REFUSED.

Can you access the GUI via HTTP (from the same machine)?

Do you have SSH access to PBXact from the same computer?

Does the System Admin Port Management page show port 443 under Admin, Secure Port (https)?

Showing ERR_CONNECTION_REFUSED

No problem accessing on HTTP.

I’ve not attempted SSH access, but I can try to check on that.

Yes it’s showing 443 for admin.

Apparently I owe you my gratitude. I finally got it working.

I had opened 443 in my firewall and then not bothered to check it again. Went back to double check myself and 443 was no longer in the port list. Tried to add it again and it disappeared.

Quick googling showed that 443 was used by other services in the router by default and so when I added the rule the router decided to ignore me and not bother to mention it. Switching the ports around allowed me to open 443 and that apparently was all it took.

Amazing how much extra work it costs me when I dont pay close enough attention the first time. I appreciate all the help.

2 Likes