Let's Encrypt - There was an error updating certificate

Bradbpw · February 18, 2018, 6:18pm

I received this error on my PBX today.

There was an error updating certificate "pbx.xxxxxxxx.com": Error 'Requested 'http://pbx.xxxxxxxx.com//.freepbx-known/97f58b69eeefd91a14c9f05bd7a568c5' - couldn't connect to host' when requesting http://pbx.xxxxxxxx.com//.freepbx-known/97f58b69eeefd91a14c9f05bd7a568c5

I’ve searched but haven’t been able to find a solution. There is a short thread on Let’s Encrypt’s forum about this, but the admin just says they have a private thread discussing the topic. Has anyone else had this problem or come up with a solution?

dmanolis79 · February 18, 2018, 6:19pm

What FPBX system version are you running?

Bradbpw · February 18, 2018, 6:34pm

FreePBX 14.0.1.36

tm1000 · February 18, 2018, 6:50pm

You need to let mirror1.freepbx.org connect to your server. Your firewall is blocking it.

Bradbpw · February 18, 2018, 6:52pm

I have mirror1.freepbx.com set as “Local” in my firewall settings.

tm1000 · February 18, 2018, 7:43pm

What port is your web interface running on

Bradbpw · February 18, 2018, 7:59pm

Http: port 921
Https: port 443

tonyclewis · February 18, 2018, 8:00pm

That’s your problem. LE will only try you on port 80. It won’t use custom ports for renewals.

Bradbpw · February 18, 2018, 8:15pm

Thanks, Tony. I’ll change that and see if it resolves it.

xrobau · February 18, 2018, 11:23pm

Note that any port can be listening on port 80 - but there does need to be AT LEAST ONE. This has come up a couple of times, and I’ve just created https://issues.freepbx.org/browse/FREEPBX-16913 as an issue to track that. At the moment you have to pick SOMETHING to expose on port 80 (and most people use UCP), but I understand that you may not want to expose that to the public internet at all.

So that ticket is still in ‘feature request’, but we have our Bug Triage tomorrow, so it may get assigned straight away (no promises!). Feel free to vote on that issue if you think it would be useful for you.

Bradbpw · February 18, 2018, 11:48pm

Thanks, Rob. That would be handy. I don’t love the idea of having my PBX exposed on port 80. I’ve voted it up and am watching for a solution.

dmanolis79 · February 19, 2018, 6:59pm

Well you will only expose it to the local traffic in the firewall settings.

PitzKey · March 9, 2018, 1:34pm

Rob, I see this was closed under status “fixed”

Is there any changes how to set this up now?

Thanks

lgaetz · March 9, 2018, 1:52pm

Your existing setup will continue to work. There is now a new option in System Admin, Port Management that allows you to dedicate port 80 just for LE updates.

PitzKey · March 9, 2018, 1:58pm

Thank you!

fearx · July 3, 2018, 5:01pm

(post withdrawn by author, will be automatically deleted in 24 hours unless flagged)

fearx · July 3, 2018, 5:25pm

There’s a free solution to change LetsEncrypt port?

tm1000 · July 3, 2018, 11:22pm

It only works on port 80. Sorry.

Also please don’t hijack threads.

Crosstalk · August 22, 2018, 5:12pm

Just an FYI for anyone running into this issue. I had the same problem - Let’s Encrypt showed that all FQDN’s were in the firewall properly, however I was still unable to update my certificate.

I fixed it by adding a custom service rule in the firewall to expose port 80 to the Internet zone. Once I updated the certificate, I then disabled that service. By disabling it, I will have to do this every few months in order to update, but I assume if you leave 80 open to the Internet zone, it would update automatically.

PitzKey · August 22, 2018, 7:27pm

See below the reason why it was blocked.

Appreciate ya video’s, Chris!