There was an error updating certificate "pbx.xxxxxxxx.com": Error 'Requested 'http://pbx.xxxxxxxx.com//.freepbx-known/97f58b69eeefd91a14c9f05bd7a568c5' - couldn't connect to host' when requesting http://pbx.xxxxxxxx.com//.freepbx-known/97f58b69eeefd91a14c9f05bd7a568c5
I’ve searched but haven’t been able to find a solution. There is a short thread on Let’s Encrypt’s forum about this, but the admin just says they have a private thread discussing the topic. Has anyone else had this problem or come up with a solution?
Note that any port can be listening on port 80 - but there does need to be AT LEAST ONE. This has come up a couple of times, and I’ve just created https://issues.freepbx.org/browse/FREEPBX-16913 as an issue to track that. At the moment you have to pick SOMETHING to expose on port 80 (and most people use UCP), but I understand that you may not want to expose that to the public internet at all.
So that ticket is still in ‘feature request’, but we have our Bug Triage tomorrow, so it may get assigned straight away (no promises!). Feel free to vote on that issue if you think it would be useful for you.
Your existing setup will continue to work. There is now a new option in System Admin, Port Management that allows you to dedicate port 80 just for LE updates.
Just an FYI for anyone running into this issue. I had the same problem - Let’s Encrypt showed that all FQDN’s were in the firewall properly, however I was still unable to update my certificate.
I fixed it by adding a custom service rule in the firewall to expose port 80 to the Internet zone. Once I updated the certificate, I then disabled that service. By disabling it, I will have to do this every few months in order to update, but I assume if you leave 80 open to the Internet zone, it would update automatically.