I was previously using StartCOM certificates but I wanted to switch to Let’s Encrypt given the former’s trust issues. I tried the let’s encrypt process but I receive the following error:
There was an error updating the certificate: Verification ended with error: {“identifier”:{“type”:“dns”,“value”:“xyz.example.com”},“status”:“invalid”,“expires”:“2017-02-10T14:20:04Z”,“challenges”:[{“type”:“http-01”,“status”:“pending”,“uri”:“https://acme-v01.api.letsencrypt.org/acme/challenge/4IJ8JFvDRX1v8j5QheBIseKgWAUwF0zZ9fNkK9lHShM/575533762",“token”:“ZDWqVjqw0HZ7oXSSHcA-oIaCZrYIbaQ7qrKbfX9udPM”},{“type”:“tls-sni-01”,“status”:“invalid”,“error”:{“type”:“urn:acme:error:unauthorized”,“detail”:"Incorrect validation certificate for TLS-SNI-01 challenge. Requested d275c20350f9c5ace7a7346a69d4c0ac.2b9d0013fb3c0f6fcceaa1c837fba93c.acme.invalid from x.x.x.x:443. Received 2 certificate(s), first certificate had names “xyz.example.com””,“status”:403},“uri”:“https://acme-v01.api.letsencrypt.org/acme/challenge/4IJ8JFvDRX1v8j5QheBIseKgWAUwF0zZ9fNkK9lHShM/575533763",“token”:“MTE7m5Xv-wwl0VnfAyhZrIK-e-tl3uxxC9axLl9d8R0”,“keyAuthorization”:“MTE7m5Xv-wwl0VnfAyhZrIK-e-tl3uxxC9axLl9d8R0.n7UiKu0CH7eAyYcXJnW1PrWi5IRHogWFm_-oAzdVK_k”,“validationRecord”:[{“hostname”:“xyz.example.com”,“port”:“443”,“addressesResolved”:[“x.x.x.x”],“addressUsed”:“x.x.x.x”}]},{“type”:“dns-01”,“status”:“pending”,“uri”:“https://acme-v01.api.letsencrypt.org/acme/challenge/4IJ8JFvDRX1v8j5QheBIseKgWAUwF0zZ9fNkK9lHShM/575533764”,“token”:“n19HXjg0gHlttupxeGLIWKvgJ_dukmUVgS-rpdFK460”}],"combinations”:[[1],[2],[0]]}
I then tried creating a new CSR and then doing the Let’s Encrypt process again (not sure if it knows to generate its own new CSR or not) but got the same error. Everything seems right in my configuration so I’m at a loss. Port 443 is open to incoming connections both on FreePBX and my router’s firewall.