Let's Encrypt Error

I am unable to generate a Let’s Encrypt Certificate and am receiving the following error.

There was an error updating the certificate: Error ‘Requested host ‘voipserver.cqsimple’ does not resolve to ‘’ (Found voipserver.cqsimple)’ when requesting http://voipserver.cqsimple//.freepbx-known/fe4f602c883503f442f42aa722ddbc2a

It tells me my host does not resolve to my WAN IP but then what it says it found is exactly the host it looked for? Any ideas?

You need to have a fully qualified domain name (fqdn) to receive a letsencrypt cert.


Thank you for your help!

So I setup a fqdn for my server and then tried to generate the certificate and received the following error:

There was an error updating the certificate: Error 'Requested ‘http://securesip.cqsimple.com//.freepbx-known/4e1530a90fae6e9c5a1db6d2eb8c3c43’ - 404 Not Found Not Found The requested URL /.freepbx-known/4e1530a90fae6e9c5a1db6d2eb8c3c43 was not found on this server. Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request. ’ when requesting http://securesip.cqsimple.com//.freepbx-known/4e1530a90fae6e9c5a1db6d2eb8c3c43

Any ideas?

Port 80 on your firewall must be opened and forwarded to the freepbx machine.

Do not forward port 80 for everyone. This would be a big security issue. Only allow the letsencrypt servers access to port 80!

1 Like

I have port 80 open for both Let’s Encrypt servers and the freepbx servers.

And it works now? For me it solved the problem opening the firewall and closing it afterwards.

Not working yet. For some reason Let’s Encrypt when it looks up my FQDN it is finding our web host, the one who is supposed to direct the FQDN to our WAN IP.

There was an error updating the certificate: Error ‘Requested host ‘securesip.cqsimple.com’ does not resolve to ‘’ (Found’ when requesting http://securesip.cqsimple.com//.freepbx-known/90b246140290d70f1ee7ac9ecbfb8e80

Are your DNS settings correct?

I think so.

There are two A records for securesip.cqsimple.com. The first one is

1 Like

You need to have access to that domain via a registrar. From there you have to update your DNS zone file to point that subdomain to the IP of your PBX.

1 Like

Crazy stupid question. Do I need to purchase/register the name securesip.cqsimple.com? Obviously I have already done that for cqsimple.com.

No. You’ll want to set up securesip as a subdomain. If you edit your dns zone file in manual mode it should look something like this:

securesip 10800 IN A

It’ll take a few minutes to a few hours to propagate depending on your clients DNS servers.

1 Like

Certificate was able to take after that. Now I can work on setting up the right user and peer settings for the encrypted sip trunks. thanks

I’m having an issue getting Let’s Encrypt to work.
I will place an XXXX in place of the actual content.
my isp is 69.203.67.XX
My pfsense router port forwards all tcp 80 and 443 to 192.168.1.XXX
I created a FQDN with ionos. securesip. XXXXXXXXX .com
when I check sslshopper this fqdn i get

securesip. XXXXXXXXX .com resolves to 69.203.67.XX

Server Type: Apache/2.4.6 (Sangoma) OpenSSL/1.0.2k-fips PHP/5.6.40

The certificate should be trusted by all major web browsers (all the correct intermediate certificates are installed).

The certificate was issued by [Let’s Encrypt](sslshopper ssl-checker /lets-encrypt-ssl-certificate-reviews.html). [Write review of Let’s Encrypt](sslshopper ssl-checker /ca-review-form.html?ca_page_id=1348)

The certificate will expire in 89 days. [Remind me]sslshopper ssl-checker)

The hostname (securesip.XXXXXXXXXXXX .com) is correctly listed in the certificate.

When I direct the securesip subdomain to my internal IP address 192.168.1.XXX
i get securesip. XXXXXXXXXXXX .com resolves to 192.168.1.XXX on ssl checker

So I believe having it point to my ISP address, then forward ports on pfsense to the local address is the way to go.
My Hosting company seems to update the DNS right away because SSLShopper picks up the change right away.
should securesip be the local IP of the freepbx? and should XXXXXXXX .com be my outfacing ISP IP address or my hosts address?
so securespi= ISP address and XXXXXXXXX .com = ionos webhost address ?

I think this is the issue with creating a letsencrypt certificate. I just dont know the exact fqdn settings that work. Thank you for any enlightenment you can give.

I was able to create a letsencrypt certificate. I added it to the https I verified on sslshopper, everything good. but when trying to generate a zulu qr code, i get QR code generation only supported over HTTPS with valid certificate and hostname

If anything reports an expiry of 2939 days, I can assure you it is not looking at a letsecrypt certificate, they expire 90 days after issuance

I agree. That was before the certificate was generated with letsencrypt.

I just edited the post to reflect the new info.
I can’t get the fqdn to point directly to the GUI of my pbxact, instead it is pointing to the outer modem.
It seems that I can put a few type A records for the domain, and then one for the subdomain.
If you google jacsoft DNS Records 101, I read that to learn more, and searched Structure of the FQDN for more info.
I keep looking for the solution since this is fun for me, rewarding once it works. I hope it does soon.

Not a expert with commercial modules , but you probably need to copy the valid 1&1 (or whatever you created) cert and key into /etc/asterisk/keys and import/updateall/setdefault for zulu to realize what you have done.