Lets Encryt certificate generation error

fetoa · October 19, 2021, 6:09pm

Hi,

I get this error generating Lets Encrypt certificate. FQDN is correctly configured, and port 80 is accesible from the Internet. I have no idea about this error:

What can I do?

Regards

fetoa · October 19, 2021, 6:23pm

I found the solution on this post (thanks to @Bradbpw):

Hostname must be same as FQDN.

Regards

cynjut · October 20, 2021, 1:12am

I’m gonna guess that you have a website running on port 80 or that your firewall is actually blocking it.

dicko · October 20, 2021, 2:34am

This will be an ongoing problem I think

Should the FreePBX acme client be replaced by a more competent one that comfortably supports DNS-01 (likely rock solid on 99% of the deployments here) as well as the leaky HTTP-01 that actually allows any suspect intruder to write to your webserver (so don’t do that)

There Is no need for your server to directly participate in cert negotiation

sorvani · October 20, 2021, 2:38pm

This is a never ending disaster. So many LE issues over time with the solution they chose.

billsimon · October 20, 2021, 3:34pm

An issue I see here is that the Let’s Encrypt integration seems to be the promoted solution for FreePBX TLS certs.

Some folks, myself included, are happy to pay < $10/year for the Comodo/Sectigo certificates. The cost of “free” with LE is too high.

I would love to see Certificate Manager have some API hooks into e.g. Namecheap (https://www.namecheap.com/support/api/methods/). Buy and install a cert right from the FreePBX screen.

dicko · October 20, 2021, 5:21pm

Try acme.sh, it has an API for namecheap and can issue, install and automatically renew either zerossl (where the Issuing Authority is http://zerossl.crt.sectigo.com/ZeroSSLRSADomainSecureSiteCA.crt) or letsencrypt (Issuing authority is http://r3.i.lencr.org/) certs for free.

github.com

acmesh-official/acme.sh/blob/master/dnsapi/dns_namecheap.sh

#!/usr/bin/env sh

# Namecheap API
# https://www.namecheap.com/support/api/intro.aspx
#
# Requires Namecheap API key set in
#NAMECHEAP_API_KEY,
#NAMECHEAP_USERNAME,
#NAMECHEAP_SOURCEIP
# Due to Namecheap's API limitation all the records of your domain will be read and re applied, make sure to have a backup of your records you could apply if any issue would arise.

########  Public functions #####################

NAMECHEAP_API="https://api.namecheap.com/xml.response"

#Usage: dns_namecheap_add   _acme-challenge.www.domain.com   "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
dns_namecheap_add() {
  fulldomain=$1
  txtvalue=$2

This file has been truncated. show original

issue certs (just once)

acme.sh --issue -d yourdomain.com --dns dns_namecheap

Install certs (just once)

acme.sh -i --cert-file /etc/asterisk/keys/yourdomain.com.crt --key-file /etc/asterisk/keys/yourdomain.com.key --fullchain-file /etc/asterisk/keys/yourdomain.com.pem --reloadcmd "fwconsole cert --updateall;fwconsole reload; systemctl reload apache2" -d yourdomain.com

now you can remove your old cron job.

(If you are using another name service then

now has 136 other choices)

sorvani · October 20, 2021, 7:02pm

It shouldn’t be if they implemented something more robust. This is a problem of Sangoma’s making and something they are refusing to deal with for unknown reasons.

billsimon · October 20, 2021, 7:15pm

@dicko understood and I do use acme.sh on other projects. It’s great. My point however was that it would be nice to see built-in integrations like LE for other cert providers so that everything can be done from the comfort of FreePBX.

billsimon · October 20, 2021, 7:17pm

It was good when it was released, but like other components, has gotten stale. Certman needs some love. Might have to come from community developers.

dicko · October 20, 2021, 7:35pm

As would I, but it would appear that there is very little interest in doing anything but HTTP-01 for LetsEncrypt. So given that fact I offered a pragmatic fix for the interim.

system · November 20, 2021, 8:56pm

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.