LetsEncrypt certificate token not available


(R2E) #1

I receive the following error when I attempt to generate a LetsEncrypt cert:
There was an error updating the certificate: Please check h://freepbx.race2escape.net/.well-known/acme-challenge/bPDCxIjHPhSw2laDk5flN36aTnKCTYh-X5ee52UhIPI - token not available

The error occurs regardless of firewall enabled or disabled.

Using curl on another system on a different external network successfully retrieves the URL when the firewall is disabled:
curl h://freepbx.race2escape.net/.well-known/acme-challenge/bPDCxIjHPhSw2laDk5flN36aTnKCTYh-X5ee52UhIPI

Are there any log files that I can check to determine what’s causing the failure of LE to verify the URL regardless of firewall setting?


(James Zhu) #2

please check the /var/log/asterisk/ucp_error, what about the hostname? LE is very troublesome.


(Andrew Nagy) #3

Ucp has nothing to do with this


(James Zhu) #4

just test freepbx-14, I also generate same error(disable firewall):
There was an error updating the certificate: Error ‘Requested host ‘www.hiastar.com’ does not resolve to ‘222.244.64.147’ (Found 118.178.122.195)’ when requesting http://www.hiastar.com//.freepbx-known/b7679e6150271727461a514094e54680


(R2E) #5

I decided to utilize h://www.sslforfree.com which delegates to Let’s Encrypt for the cert creation. I then used the manual upload feature of FreePBX to upload the certificate. The odd thing is that Let’s Encrypt successfully reached my FreePBX server to validate the ownership, but the automated process built into FreePBX does not complete successfully regardless of firewall status. If I knew which logs to check I could provide additional info.


(ahtoh) #6

I also have this “token not available” error.
Checked httpd logs and only see a request from 199.102.239.170 which is freepbx.org IP and no requests from letsencrypt.

199.102.239.170 - - [07/May/2018:17:43:11 +0000] “GET /.freepbx-known/68138d20c33d23d102b89d0749eb4591 HTTP/1.1” 200 32 “-” “-”

Is there any logs or other way to diagnose this error?


(Jacques Paquin) #7

In Admin->System Admin->Hostname I put in the hostname that LetsEncrypt was trying to find and voila everything worked.

I had this issue. I could see the request for that URL coming through my pfSense firewall, but it wasn’t coming from a LetsEncrypt mirror.

I tried every iteration of firewall configuration in FreePBX, but that was the final piece needed to make it work.


[HELP] New Let's Encrypt Certificate FreePBX 14.0 for WebRTC
(Pavle Milanovic) #8

Just wanted to thank you, this was my issue too! As soon as I put the Hostname in SysAdmin to be the same thing as the Hostname in LetsEncrypt creation, it all worked perfectly!


(Michael Cramer) #9

This should probably be in the cert manager wiki…


(Andrew Nagy) #10

No because you don’t need to do this.


(Michael Cramer) #11

I’m not sure why setting the hostname worked then. I checked permissions, updated modules, messed with the router, did a pcap on port 80, everything seemed to check out. When I changed the hostname it worked first try, super easy, no issues, no other changes.

Perhaps it’s specific to certain environments.


#12

Well, darn. That worked. Thanks.


(MarkC) #13

Hot dang !! Well what do you know, this worked for me as well. I have been mucking around for ages troubleshooting this, THANK-YOU !!

My configuration is:

  • I have a hostname.domain.com that will resolve to the public IP of the company Firewall
  • the company firewall allows the various letsencrypt/freepbx hosts through via a port forward to the PBX (port 80)
  • the PBX firewall also allows the various letsencrypt/freepbx hosts through

I could bring up the generated token via http from several outside locations but it was still failing with the “token not available” error.

A quick change of the host name from the default uc-XXXXXXXXX to my hostname.domain.com
and voila. worked first try. now I am curious as to the actual mechanics of why this works. interesting


#14

Thank you, Jacques Paquin. Your host-name solution fixed the certificate renewal problem for me too!


(Maxyca) #15

Many many thanks Jacques Paquin! It’s really works!!!


(Corebiztech) #16

Sweet baby jesus in the manger jpaquin, that worked perfectly! We seem to have a similar setup with pfsense and nothing else I did worked!


(Dave Burgess) #17

Could one of you that found this facile submit a Feature Request to make sure the hostname in the LE cert is set to the same host as identified by @jpaquin or at least resolve this in software. I understand it’s an easy fix, but there should be a way to make this work automatically.