LetsEncrypt certificate token not available

r2e · September 30, 2017, 4:09am

I receive the following error when I attempt to generate a LetsEncrypt cert:
There was an error updating the certificate: Please check h://freepbx.race2escape.net/.well-known/acme-challenge/bPDCxIjHPhSw2laDk5flN36aTnKCTYh-X5ee52UhIPI - token not available

The error occurs regardless of firewall enabled or disabled.

Using curl on another system on a different external network successfully retrieves the URL when the firewall is disabled:
curl h://freepbx.race2escape.net/.well-known/acme-challenge/bPDCxIjHPhSw2laDk5flN36aTnKCTYh-X5ee52UhIPI

Are there any log files that I can check to determine what’s causing the failure of LE to verify the URL regardless of firewall setting?

james · September 30, 2017, 6:28am

please check the /var/log/asterisk/ucp_error, what about the hostname? LE is very troublesome.

tm1000 · September 30, 2017, 8:06am

Ucp has nothing to do with this

james · September 30, 2017, 8:20am

just test freepbx-14, I also generate same error(disable firewall):
There was an error updating the certificate: Error ‘Requested host ‘www.hiastar.com’ does not resolve to ‘222.244.64.147’ (Found 118.178.122.195)’ when requesting http://www.hiastar.com//.freepbx-known/b7679e6150271727461a514094e54680

r2e · September 30, 2017, 3:25pm

I decided to utilize h://www.sslforfree.com which delegates to Let’s Encrypt for the cert creation. I then used the manual upload feature of FreePBX to upload the certificate. The odd thing is that Let’s Encrypt successfully reached my FreePBX server to validate the ownership, but the automated process built into FreePBX does not complete successfully regardless of firewall status. If I knew which logs to check I could provide additional info.

ahtoh · May 7, 2018, 5:53pm

I also have this “token not available” error.
Checked httpd logs and only see a request from 199.102.239.170 which is freepbx.org IP and no requests from letsencrypt.

199.102.239.170 - - [07/May/2018:17:43:11 +0000] “GET /.freepbx-known/68138d20c33d23d102b89d0749eb4591 HTTP/1.1” 200 32 “-” “-”

Is there any logs or other way to diagnose this error?

jpaquin · June 7, 2018, 6:06pm

In Admin->System Admin->Hostname I put in the hostname that LetsEncrypt was trying to find and voila everything worked.

I had this issue. I could see the request for that URL coming through my pfSense firewall, but it wasn’t coming from a LetsEncrypt mirror.

I tried every iteration of firewall configuration in FreePBX, but that was the final piece needed to make it work.

pavlex · November 12, 2018, 2:41pm

Just wanted to thank you, this was my issue too! As soon as I put the Hostname in SysAdmin to be the same thing as the Hostname in LetsEncrypt creation, it all worked perfectly!

cramermp · November 13, 2018, 1:34pm

This should probably be in the cert manager wiki…

tm1000 · November 13, 2018, 3:37pm

No because you don’t need to do this.

cramermp · November 13, 2018, 6:42pm

I’m not sure why setting the hostname worked then. I checked permissions, updated modules, messed with the router, did a pcap on port 80, everything seemed to check out. When I changed the hostname it worked first try, super easy, no issues, no other changes.

Perhaps it’s specific to certain environments.

jervin · November 16, 2018, 5:43am

Well, darn. That worked. Thanks.

cordingm · February 10, 2019, 12:49am

Hot dang !! Well what do you know, this worked for me as well. I have been mucking around for ages troubleshooting this, THANK-YOU !!

My configuration is:

I have a hostname.domain.com that will resolve to the public IP of the company Firewall
the company firewall allows the various letsencrypt/freepbx hosts through via a port forward to the PBX (port 80)
the PBX firewall also allows the various letsencrypt/freepbx hosts through

I could bring up the generated token via http from several outside locations but it was still failing with the “token not available” error.

A quick change of the host name from the default uc-XXXXXXXXX to my hostname.domain.com
and voila. worked first try. now I am curious as to the actual mechanics of why this works. interesting

Bismark · April 14, 2019, 5:22pm

Thank you, Jacques Paquin. Your host-name solution fixed the certificate renewal problem for me too!

maxyca · July 8, 2019, 6:46am

Many many thanks Jacques Paquin! It’s really works!!!

corebiztech · August 31, 2019, 6:00pm

Sweet baby jesus in the manger jpaquin, that worked perfectly! We seem to have a similar setup with pfsense and nothing else I did worked!

cynjut · September 3, 2019, 4:52pm

Could one of you that found this facile submit a Feature Request to make sure the hostname in the LE cert is set to the same host as identified by @jpaquin or at least resolve this in software. I understand it’s an easy fix, but there should be a way to make this work automatically.

bholler · July 16, 2020, 2:32pm

This is awesome! after 2 hours troubleshooting.

younitd · January 7, 2021, 11:55am

Wow! your solution fix my problem!! Thank you!

jerrm · January 7, 2021, 2:27pm

For the record…

The “token not available” message occurs when the Lescript.php library does a self test and tries to download the token locally.

If curl http://your.letsencrypt.fqdn/robots.txt fails at the server console or an ssh session, then LetsEncrypt will fail. Almost always a result of internal dns not properly resolving the fqdn and/or the router/firewall not supporting “nat loopback.”

It’s not really necessary to change the hostname as long as the dns issue is fixed. Add the fqdn to the internal dns or the server’s /etc/hosts file.