LetsEncrypt certificate token not available

I receive the following error when I attempt to generate a LetsEncrypt cert:
There was an error updating the certificate: Please check h://freepbx.race2escape.net/.well-known/acme-challenge/bPDCxIjHPhSw2laDk5flN36aTnKCTYh-X5ee52UhIPI - token not available

The error occurs regardless of firewall enabled or disabled.

Using curl on another system on a different external network successfully retrieves the URL when the firewall is disabled:
curl h://freepbx.race2escape.net/.well-known/acme-challenge/bPDCxIjHPhSw2laDk5flN36aTnKCTYh-X5ee52UhIPI

Are there any log files that I can check to determine what’s causing the failure of LE to verify the URL regardless of firewall setting?

please check the /var/log/asterisk/ucp_error, what about the hostname? LE is very troublesome.

Ucp has nothing to do with this

just test freepbx-14, I also generate same error(disable firewall):
There was an error updating the certificate: Error ‘Requested host ‘www.hiastar.com’ does not resolve to ‘’ (Found’ when requesting http://www.hiastar.com//.freepbx-known/b7679e6150271727461a514094e54680

I decided to utilize h://www.sslforfree.com which delegates to Let’s Encrypt for the cert creation. I then used the manual upload feature of FreePBX to upload the certificate. The odd thing is that Let’s Encrypt successfully reached my FreePBX server to validate the ownership, but the automated process built into FreePBX does not complete successfully regardless of firewall status. If I knew which logs to check I could provide additional info.

I also have this “token not available” error.
Checked httpd logs and only see a request from which is freepbx.org IP and no requests from letsencrypt. - - [07/May/2018:17:43:11 +0000] “GET /.freepbx-known/68138d20c33d23d102b89d0749eb4591 HTTP/1.1” 200 32 “-” “-”

Is there any logs or other way to diagnose this error?

In Admin->System Admin->Hostname I put in the hostname that LetsEncrypt was trying to find and voila everything worked.

I had this issue. I could see the request for that URL coming through my pfSense firewall, but it wasn’t coming from a LetsEncrypt mirror.

I tried every iteration of firewall configuration in FreePBX, but that was the final piece needed to make it work.


Just wanted to thank you, this was my issue too! As soon as I put the Hostname in SysAdmin to be the same thing as the Hostname in LetsEncrypt creation, it all worked perfectly!

This should probably be in the cert manager wiki…

No because you don’t need to do this.

I’m not sure why setting the hostname worked then. I checked permissions, updated modules, messed with the router, did a pcap on port 80, everything seemed to check out. When I changed the hostname it worked first try, super easy, no issues, no other changes.

Perhaps it’s specific to certain environments.

Well, darn. That worked. Thanks.

1 Like

Hot dang !! Well what do you know, this worked for me as well. I have been mucking around for ages troubleshooting this, THANK-YOU !!

My configuration is:

  • I have a hostname.domain.com that will resolve to the public IP of the company Firewall
  • the company firewall allows the various letsencrypt/freepbx hosts through via a port forward to the PBX (port 80)
  • the PBX firewall also allows the various letsencrypt/freepbx hosts through

I could bring up the generated token via http from several outside locations but it was still failing with the “token not available” error.

A quick change of the host name from the default uc-XXXXXXXXX to my hostname.domain.com
and voila. worked first try. now I am curious as to the actual mechanics of why this works. interesting

1 Like

Thank you, Jacques Paquin. Your host-name solution fixed the certificate renewal problem for me too!

1 Like

Many many thanks Jacques Paquin! It’s really works!!!

1 Like

Sweet baby jesus in the manger jpaquin, that worked perfectly! We seem to have a similar setup with pfsense and nothing else I did worked!

Could one of you that found this facile submit a Feature Request to make sure the hostname in the LE cert is set to the same host as identified by @jpaquin or at least resolve this in software. I understand it’s an easy fix, but there should be a way to make this work automatically.

This is awesome! after 2 hours troubleshooting.

Wow! your solution fix my problem!! Thank you!

For the record…

The “token not available” message occurs when the Lescript.php library does a self test and tries to download the token locally.

If curl http://your.letsencrypt.fqdn/robots.txt fails at the server console or an ssh session, then LetsEncrypt will fail. Almost always a result of internal dns not properly resolving the fqdn and/or the router/firewall not supporting “nat loopback.”

It’s not really necessary to change the hostname as long as the dns issue is fixed. Add the fqdn to the internal dns or the server’s /etc/hosts file.