Scion
(Jason)
December 5, 2019, 10:25pm
1
Hey all,
FreePBX 14.0.13.12
Current Asterisk Version: 13.27.1
Trying to generate lets encrypt certificate on this deployment. Using standard built in firewall.
Port scan sees port 22,53,82,83,84,111,443 but not 80. I know I need 80 open for the certificate to validate.
Have enabled/disabled port 80 for LE several times.
There is no other firewall. All is strictly based IP authentication.
Have allowed all of the LE mirrors through the firewall:
Still seeing:
There was an error updating the certificate: Error ‘Requested ‘http://15859820.deployments.pbxact.com//.freepbx-known/32d69c542f198e3cd5be398a91a31a7e ’ - Failed connect to 15859820.deployments.pbxact.com:80 ; Connection timed out’ when requesting http://15859820.deployments.pbxact.com//.freepbx-known/32d69c542f198e3cd5be398a91a31a7e
Sometimes:
There was an error updating the certificate: HTTP Challenge for 15859820.deployments.pbxact.com is not available. Whole response: {“type”:“urn:acme:error:unauthorized”,“detail”:“No registration exists matching provided key”,“status”:403}
PitzKey
(Itzik)
December 10, 2019, 9:06am
3
You need to have port 80 open publicly during the process.
You can also move the GUI do a different port and have LE only on port 80.
Scion
(Jason)
December 10, 2019, 4:16pm
4
Hello and thank you.
I do have port 80 open. I have port scanned the IP and port 80 doesn’t show up. I am only using the built in Fail2Ban/Firewall in FreePBX. And, my IP is trusted through the firewall.
After making sure that port 80 is set in Port Management, I go back to certificate management.
Firewall is validated for all LetsEncrypt DDNS.
But when I try to generate it:
Scion
(Jason)
December 10, 2019, 4:21pm
5
Also, at the bottom of my schmoozecom.conf
Listen 80
<VirtualHost *:80>
Alias /.well-known /var/www/html/.well-known
Alias /.freepbx-known /var/www/html/.freepbx-known
RewriteEngine on
RewriteRule ^/.(well-known|freepbx-known)/ - [H=text/plain,L]
RewriteRule (^.|/.) - [F]
DocumentRoot /invalid/folder/name
Scion
(Jason)
December 10, 2019, 4:51pm
6
so, I tried to install the default certificate through sysadmin https setup and it completely locked me out of the system in chrome stating that:
I can still access it with Mozilla, but it still won’t let me generate a LetsEncrypt certificate. I get the same error as above.
I will try to uninstall the default certificate to see if that fixes the Chrome issue…
Scion
(Jason)
December 10, 2019, 4:56pm
7
Yeah… unable to uninstall the https certificate. Only option is to delete it in certificate management.
PitzKey
(Itzik)
December 11, 2019, 12:01am
8
Can you try seeing everything (all ports) back as it was originally, and try again?
Scion
(Jason)
December 11, 2019, 11:11pm
9
Technically, no.
I have the default self signed certificate installed in an attempt to enable https functionality.
So, the original port configuration didn’t include the https options that I have now.
In https setup, there is no option to uninstall a certificate.
Scion
(Jason)
December 11, 2019, 11:54pm
10
So, found a thread that was helpful…
I’ve upgraded the certificate manager module to edge and it works,
my problem was I assume that 14.0.4 was already newer then 13.0.36.11
that was in the different article, thank you very much
It suggests that upgrading certman to 14.0.5 fixes the problem. Well I upgraded from 14.0.4.
Now when I try to generate an LE cert, I get this:
There was an error updating the certificate: 15859820.deployments.pbxact.com already exists!
system
(system)
Closed
December 18, 2019, 11:54pm
11
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.