Generating Lets Encrypt Certificate - requested host does not resolve to IP


I have a FreePb v14 system running. It works great :slight_smile:
But there is one thing I could not yet really get over to.

I have tried to generate a Let`s Encrypt certificate for this machine using the FreePbx administration web frontend for certificates (Admin -> Certificate Manager -> Create New Lets Encrypt Cert).

This are my systems details (values slightly modified ONLY SIMILAR EXAMPLE FOR DEMONSTRATION!):

Version: FreePBX (from latest official distro)

DNS entry for
A 3600 srv01

Lets Encrypt cert details:
Certificate Host Name:

This is the error output on generation:
There was an error updating the certificate: Error ‘Requested host ‘’ does not resolve to ‘’ (Found’ when requesting “

The strange thing is, I can reach the URL without any problems from outside with any browser and the response does come from the host/apache with the IP

Firewall module is enabled and configured on the pbx, the needed LE exclusions were made.

The IP which was resolved by the LE module “” seems to be the last IP before my ISP hands over the connection to my network.
In my network, the pbx device is in a DMZ and public IP is set for it.
I have no other active firewall. I can also not image that my ISP blocks any ports as all parts of the device are connective (ssh, apache, ssl etc.) from outside.

How does the certificate manager resolve the IP, does it need any further settings ?
Why does it resolve to the last gateway of my ISP and not to that what is set in the DNS entry ?

I am curious about that. Please help ! Thank you !


ok i`ve discovered one strange thing.

My network settings for the pbx are as follows (in System Admin Module):

Type: Static

If I now go to “Asterisk SIP Settings” and click on “Detect Network settings” there the resolved external IP is set to

How does FreePbx/Asterisk resolve the external IP ??

FreePBX does not resolve that IP. You hard set that IP in SIP Setting module. Update it and you should be good to go.

You also can’t just “make up” a domain. The domain has to be resolvable and open on port 80.


fixed it :slight_smile:

My router did a NAT translation on the inital packet, so what the LE service was receiving was not my (configured) static IP but instead my secondary dynamic IP which assigned by my provider to the modem on every PPPoe connection. So turn off nat if it`s behind a subnet.

Thanks anyway!

So turn off nat if it`s behind a subnet. - You did this in your router?