Let's Encrypt - There was an error updating certificate

I received this error on my PBX today.

There was an error updating certificate "pbx.xxxxxxxx.com": Error 'Requested 'http://pbx.xxxxxxxx.com//.freepbx-known/97f58b69eeefd91a14c9f05bd7a568c5' - couldn't connect to host' when requesting http://pbx.xxxxxxxx.com//.freepbx-known/97f58b69eeefd91a14c9f05bd7a568c5

I’ve searched but haven’t been able to find a solution. There is a short thread on Let’s Encrypt’s forum about this, but the admin just says they have a private thread discussing the topic. Has anyone else had this problem or come up with a solution?

What FPBX system version are you running?


You need to let mirror1.freepbx.org connect to your server. Your firewall is blocking it.

I have mirror1.freepbx.com set as “Local” in my firewall settings.

What port is your web interface running on

Http: port 921
Https: port 443

That’s your problem. LE will only try you on port 80. It won’t use custom ports for renewals.

Thanks, Tony. I’ll change that and see if it resolves it.

Note that any port can be listening on port 80 - but there does need to be AT LEAST ONE. This has come up a couple of times, and I’ve just created https://issues.freepbx.org/browse/FREEPBX-16913 as an issue to track that. At the moment you have to pick SOMETHING to expose on port 80 (and most people use UCP), but I understand that you may not want to expose that to the public internet at all.

So that ticket is still in ‘feature request’, but we have our Bug Triage tomorrow, so it may get assigned straight away (no promises!). Feel free to vote on that issue if you think it would be useful for you.


Thanks, Rob. That would be handy. I don’t love the idea of having my PBX exposed on port 80. I’ve voted it up and am watching for a solution.

Well you will only expose it to the local traffic in the firewall settings.

Rob, I see this was closed under status “fixed”

Is there any changes how to set this up now?


Your existing setup will continue to work. There is now a new option in System Admin, Port Management that allows you to dedicate port 80 just for LE updates.


Thank you!

1 Like

(post withdrawn by author, will be automatically deleted in 24 hours unless flagged)

There’s a free solution to change LetsEncrypt port?

It only works on port 80. Sorry.

Also please don’t hijack threads.

1 Like

Just an FYI for anyone running into this issue. I had the same problem - Let’s Encrypt showed that all FQDN’s were in the firewall properly, however I was still unable to update my certificate.

I fixed it by adding a custom service rule in the firewall to expose port 80 to the Internet zone. Once I updated the certificate, I then disabled that service. By disabling it, I will have to do this every few months in order to update, but I assume if you leave 80 open to the Internet zone, it would update automatically.

See below the reason why it was blocked.

Appreciate ya video’s, Chris!