FreePBX | Register | Issues | Wiki | Portal | Support

Let's Encrypt Questions


Hello everyone!

I am having an issue trying to get a cert via Let’s Encrypt.

If I set port 80 for admin or UCP I can get to the interfaces from outside my network. This tells me that my port forwarding and external DNS is working just fine. Also, it prompted me to add the incoming sites to the firewall (the 2 for LE and the 2 for which I did do.

So I went into Port Management and changed the admin port to 8080, and set the Let’s Encrypt port to 80, but when I try to get a LE cert it times out and tells me it can’t get the token. I also cannot manually browse to the URL it is trying to get to from outside the network either (it does work internally).

So I am at a loss as to what the issue is. I have ruled out my port forwarding, and obviously the FreePBX firewall allows for port 80 to work from internally and externally. So what’s left to check?

FreePBX with all updates installed.


If you care to be unconventional (but successful) , you can make sure that nothing is running on port 80 and call from bash,

certbot --standalone certonly

you get to be self sufficient and a little interactive, but you need to move/copy/link the generated certs to the proper place


So I turned off the firewall and it worked just fine, now I have the cert. Then I turned the firewall back on. So here’s my question, what is the FW blocking? As I said, I did add the 4 sites the UI told me to.

Is there a CLI command that can allow me to see, in real-time, what the firewall is blocking?


iptables -L
I would assume that when you change the admin port to 8080, FreePBX Firewall unblocks 8080 and blocks 80. If you have something else running on 80 you would need to unblock it separately.