Let's Encrypt

configuration
Tags: #<Tag:0x00007fafc25344a8>

(Jason) #1

Hey all,

FreePBX 14.0.13.12
Current Asterisk Version: 13.27.1

Trying to generate lets encrypt certificate on this deployment. Using standard built in firewall.

Port scan sees port 22,53,82,83,84,111,443 but not 80. I know I need 80 open for the certificate to validate.

Have enabled/disabled port 80 for LE several times.

There is no other firewall. All is strictly based IP authentication.

Have allowed all of the LE mirrors through the firewall:

Still seeing:

There was an error updating the certificate: Error ‘Requested ‘http://15859820.deployments.pbxact.com//.freepbx-known/32d69c542f198e3cd5be398a91a31a7e’ - Failed connect to 15859820.deployments.pbxact.com:80; Connection timed out’ when requesting http://15859820.deployments.pbxact.com//.freepbx-known/32d69c542f198e3cd5be398a91a31a7e

Sometimes:

There was an error updating the certificate: HTTP Challenge for 15859820.deployments.pbxact.com is not available. Whole response: {“type”:“urn:acme:error:unauthorized”,“detail”:“No registration exists matching provided key”,“status”:403}


(Jason) #2


(Itzik) #3

You need to have port 80 open publicly during the process.

You can also move the GUI do a different port and have LE only on port 80.


(Jason) #4

Hello and thank you.

I do have port 80 open. I have port scanned the IP and port 80 doesn’t show up. I am only using the built in Fail2Ban/Firewall in FreePBX. And, my IP is trusted through the firewall.

After making sure that port 80 is set in Port Management, I go back to certificate management.

Firewall is validated for all LetsEncrypt DDNS.

image

But when I try to generate it:


(Jason) #5

Also, at the bottom of my schmoozecom.conf

Listen 80
<VirtualHost *:80>
Alias /.well-known /var/www/html/.well-known
Alias /.freepbx-known /var/www/html/.freepbx-known
RewriteEngine on
RewriteRule ^/.(well-known|freepbx-known)/ - [H=text/plain,L]
RewriteRule (^.|/.) - [F]
DocumentRoot /invalid/folder/name


(Jason) #6

so, I tried to install the default certificate through sysadmin https setup and it completely locked me out of the system in chrome stating that:
image

I can still access it with Mozilla, but it still won’t let me generate a LetsEncrypt certificate. I get the same error as above.

I will try to uninstall the default certificate to see if that fixes the Chrome issue…


(Jason) #7

Yeah… unable to uninstall the https certificate. Only option is to delete it in certificate management.


(Itzik) #8

Can you try seeing everything (all ports) back as it was originally, and try again?


(Jason) #9

Technically, no.

I have the default self signed certificate installed in an attempt to enable https functionality.

So, the original port configuration didn’t include the https options that I have now.

In https setup, there is no option to uninstall a certificate.


(Jason) #10

So, found a thread that was helpful…

It suggests that upgrading certman to 14.0.5 fixes the problem. Well I upgraded from 14.0.4.

Now when I try to generate an LE cert, I get this:
There was an error updating the certificate: 15859820.deployments.pbxact.com already exists!


(system) closed #11

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.