If DNS and firewall forwarding/loopback are properly configured, it should “just work.”
www.fqdn.com is working for remote IP phones in numerous locations across the internet and with other LE certs on my network, so I don’t think DNS is the problem.
There are three rules in pfSense (for the WordPress LE cert, the pfSense, and for the FreePBX LE cert) to forward TCP port 80 for LE certs. identical except for the destination NAT IP on the LAN. All are normally disabled (i.e., port 80 is closed). When I need to update the LE cert, I open up port 80 for that specific rule. The WordPress LE cert “just works” each and every time with certbot. The FreePBX LE certs not so much.
I am surprised that this is an issue because with literally millions of FreePBX installs, I expect there are more than a few who are using ACME clients, and there also must be lots of these folks with expertise in how to make this work. Right now this is my number one complaint with FreePBX. Otherwise I’m quite happy.
I don’t know much about pfSense, but suspect that your issue relates to an interaction between your special rules and hairpinning. WordPress works fine because only LE (from outside) is accessing www.fqdn.com:80 when renewing.
However, FreePBX does a pretest to first confirm that it can access www.fqdn.com:80 and I am guessing that pfSense is not handling that correctly. You can confirm or refute this hypothesis by doing a curl or wget from a PBX shell prompt to http://www.fqdn.com/.well-known/acme-challenge/<TOKEN>
If this is your issue and you can’t easily fix it in pfSense, try adding an entry in /etc/hosts to map www.fqdn.com to 127.0.0.1
It’s a 100% certainty the self test failure is a DNS issue.
The DNS problems can be overcome with firewall configuration, but I generally consider nat loopback a kludgy, lazy hack and never the proper fix.
The other LE clients don’t use the Lescript.php library that FreePBX does. It’s a bad client, but its what we have for now. Certbot and other clients don’t have the self-test nonsense of Lescript.php.
You can take two minutes to edit the pbx hosts file to prove/disprove the fact, or continue circling around the problem.
and type in my domain name, i.e., www.fqdn.com, the correct public IP address is displayed. I can ping my domain name from an external computer as well as a computer on the LAN. nslookup from an external computer shows as:
I assume this was run after editing the hosts file?
Yes, after the hosts file was edited as follows:
$ cat /etc/hosts
127.0.0.1 freepbx15vb localhost localhost.localdomain localhost4
127.0.0.1 www.fqdn.com
::1 freepbx15vb localhost localhost6
$
From the pbx, “www.fqdn.com” must resolve to the internal IP of the pbx.
This command is run on the PBX 172.16.0.175:
$ ip a
…
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 08:00:27:97:2f:36 brd ff:ff:ff:ff:ff:ff
inet 172.16.0.175/24 brd 172.16.0.255 scope global dynamic eth0
valid_lft 6768sec preferred_lft 6768sec
inet6 fe80::a00:27ff:fe97:2f36/64 scope link
valid_lft forever preferred_lft forever
…
$
After editing, the /etc/hosts file on the PBX:
$ cat /etc/hosts
127.0.0.1 freepbx15vb localhost localhost.localdomain localhost4
172.16.0.175 www.fqdn.com
::1 freepbx15vb localhost localhost6
$ curl fqdn.com - This website is for sale! - fqdn Resources and Information.
Hello, hello. This is a test.
$
For all tests below, port 80/TCP was open and forwarded to FreePBX 172.16.0.175:
Certificate named “default” is going to expire in less than a month. Please update this certificate in Certificate Manager Successfully updated certificate named "www.fqdn.com" Successfully updated certificate named "www.anotherfqdn.com"
$
Certificate named “default” is going to expire in less than a month. Please update this certificate in Certificate Manager Successfully updated certificate named “www.fqdn.com” Successfully updated certificate named “www.anotherfqdn.com”
The log above states two certificates www.fqdn.com and www.anotherfqdn.com were both updated successfully. Just above those two lines in the log it says:
Certificate named “default” is going to expire in less than a month. Please update this certificate in Certificate Manager
In the Certificate Manager menu in the FreePBX GUI the www.fqdn.com LE cert has a green checkmark as the default cert, and the Issued Certificate Details says the cert is valid for 89 days.