Lets Encryt certificate generation error


I get this error generating Lets Encrypt certificate. FQDN is correctly configured, and port 80 is accesible from the Internet. I have no idea about this error:

What can I do?


I found the solution on this post (thanks to @Bradbpw):

Hostname must be same as FQDN.


I’m gonna guess that you have a website running on port 80 or that your firewall is actually blocking it.

This will be an ongoing problem I think

Should the FreePBX acme client be replaced by a more competent one that comfortably supports DNS-01 (likely rock solid on 99% of the deployments here) as well as the leaky HTTP-01 that actually allows any suspect intruder to write to your webserver (so don’t do that)

There Is no need for your server to directly participate in cert negotiation

This is a never ending disaster. So many LE issues over time with the solution they chose.

An issue I see here is that the Let’s Encrypt integration seems to be the promoted solution for FreePBX TLS certs.

Some folks, myself included, are happy to pay < $10/year for the Comodo/Sectigo certificates. The cost of “free” with LE is too high.

I would love to see Certificate Manager have some API hooks into e.g. Namecheap (https://www.namecheap.com/support/api/methods/). Buy and install a cert right from the FreePBX screen.


Try acme.sh, it has an API for namecheap and can issue, install and automatically renew either zerossl (where the Issuing Authority is http://zerossl.crt.sectigo.com/ZeroSSLRSADomainSecureSiteCA.crt) or letsencrypt (Issuing authority is http://r3.i.lencr.org/) certs for free.

issue certs (just once)

acme.sh --issue -d yourdomain.com --dns dns_namecheap

Install certs (just once)

acme.sh -i --cert-file /etc/asterisk/keys/yourdomain.com.crt --key-file /etc/asterisk/keys/yourdomain.com.key --fullchain-file /etc/asterisk/keys/yourdomain.com.pem --reloadcmd "fwconsole cert --updateall;fwconsole reload; systemctl reload apache2" -d yourdomain.com

now you can remove your old cron job.

(If you are using another name service then

now has 136 other choices)

1 Like

It shouldn’t be if they implemented something more robust. This is a problem of Sangoma’s making and something they are refusing to deal with for unknown reasons.

1 Like

@dicko understood and I do use acme.sh on other projects. It’s great. My point however was that it would be nice to see built-in integrations like LE for other cert providers so that everything can be done from the comfort of FreePBX.

It was good when it was released, but like other components, has gotten stale. Certman needs some love. Might have to come from community developers.

As would I, but it would appear that there is very little interest in doing anything but HTTP-01 for LetsEncrypt. So given that fact I offered a pragmatic fix for the interim.

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.