Let's Encrypt Initial Setup Failing

I was previously using StartCOM certificates but I wanted to switch to Let’s Encrypt given the former’s trust issues. I tried the let’s encrypt process but I receive the following error:

There was an error updating the certificate: Verification ended with error: {“identifier”:{“type”:“dns”,“value”:“xyz.example.com”},“status”:“invalid”,“expires”:“2017-02-10T14:20:04Z”,“challenges”:[{“type”:“http-01”,“status”:“pending”,“uri”:“https://acme-v01.api.letsencrypt.org/acme/challenge/4IJ8JFvDRX1v8j5QheBIseKgWAUwF0zZ9fNkK9lHShM/575533762",“token”:“ZDWqVjqw0HZ7oXSSHcA-oIaCZrYIbaQ7qrKbfX9udPM”},{“type”:“tls-sni-01”,“status”:“invalid”,“error”:{“type”:“urn:acme:error:unauthorized”,“detail”:"Incorrect validation certificate for TLS-SNI-01 challenge. Requested d275c20350f9c5ace7a7346a69d4c0ac.2b9d0013fb3c0f6fcceaa1c837fba93c.acme.invalid from x.x.x.x:443. Received 2 certificate(s), first certificate had names “xyz.example.com””,“status”:403},“uri”:“https://acme-v01.api.letsencrypt.org/acme/challenge/4IJ8JFvDRX1v8j5QheBIseKgWAUwF0zZ9fNkK9lHShM/575533763",“token”:“MTE7m5Xv-wwl0VnfAyhZrIK-e-tl3uxxC9axLl9d8R0”,“keyAuthorization”:“MTE7m5Xv-wwl0VnfAyhZrIK-e-tl3uxxC9axLl9d8R0.n7UiKu0CH7eAyYcXJnW1PrWi5IRHogWFm_-oAzdVK_k”,“validationRecord”:[{“hostname”:“xyz.example.com”,“port”:“443”,“addressesResolved”:[“x.x.x.x”],“addressUsed”:“x.x.x.x”}]},{“type”:“dns-01”,“status”:“pending”,“uri”:“https://acme-v01.api.letsencrypt.org/acme/challenge/4IJ8JFvDRX1v8j5QheBIseKgWAUwF0zZ9fNkK9lHShM/575533764”,“token”:“n19HXjg0gHlttupxeGLIWKvgJ_dukmUVgS-rpdFK460”}],"combinations”:[[1],[2],[0]]}

I then tried creating a new CSR and then doing the Let’s Encrypt process again (not sure if it knows to generate its own new CSR or not) but got the same error. Everything seems right in my configuration so I’m at a loss. Port 443 is open to incoming connections both on FreePBX and my router’s firewall.

The Let’s Encrypt process does not use the CSR you generated. It generates it’s own

Does this have a valid certificate? You will need a valid certificate on 443 to get issued a Let’s Encrypt Certificate. It’ll generally fail on certificate errors.

I do have a valid certificate from StarCOM that I’ve had for a while. Did Mozilla revoke the trust for StartCOM in their Let’s Encrypt software like their did their web browser?

It wouldn’t have anything to do with Mozilla. It’s either a 403 (forbidden) or an invalid certificate. You’ve scrubbed the URLs so I can’t tell you for sure.

The URLs and IPs all point to my PBX. My PBX has a public IP with routing only. The firewall isn’t doing any NAT on it.

Ahhh. Actually I see. Unfortunately HTTPS mode for Let’s Encrypt will NOT work in FreePBX. Sorry about that. You will need to use HTTP to get the certificate.

Ticket here: http://issues.freepbx.org/browse/FREEPBX-14082

Lol. Getting an SSL certificate in the clear. Slight oversight eh?

Thanks for you help,


It’s the only way to do it for the forseeable future

I understand. I just think it’s ironic.

I appreciate your time resolving the issue.