So, it seems the issue with generating new Let’s Encrypt certificates on a freshly installed FreePBX 16 is two-fold:
- “token is not available” - the built-in firewall, even if it has LE functions turned on - does not necessarily allow all required traffic to go in on port 80. Disabling firewall temporarily helped.
- “token did not match” - LetsEncrypt 'Token did not match' - #6 by thimo - it’s weird that on freshly installed system this has to be manually changed if it influences one of the “almost” core functions (Let’s encrypt agent). I checked my old FreePBX15 box and it seems I had to do that as well (even if I don’t remember that). Would be nice to have it done out-of-the-box.
Actually I think that the default https-redirect rules should be more like below, as I have a bunch of other subdirs with helper forms and listing it all in the configuration is troublesome:
[root@pbx ~]# cat /etc/httpd/conf.d/https-redirect.conf
<VirtualHost *:80>
RewriteEngine on
RewriteCond %{HTTPS} !=on [NC]
RewriteCond %{REQUEST_URI} !^/\.well-known
RewriteCond %{REQUEST_URI} !^/\.freepbx-known
RewriteRule ^/(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
# RewriteRule ^/(admin|ucp|fop2|call-form)/(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
</VirtualHost>
[root@pbx ~]#