I receive the following error when I attempt to generate a LetsEncrypt cert:
There was an error updating the certificate: Please check h://freepbx.race2escape.net/.well-known/acme-challenge/bPDCxIjHPhSw2laDk5flN36aTnKCTYh-X5ee52UhIPI - token not available
The error occurs regardless of firewall enabled or disabled.
Using curl on another system on a different external network successfully retrieves the URL when the firewall is disabled:
curl h://freepbx.race2escape.net/.well-known/acme-challenge/bPDCxIjHPhSw2laDk5flN36aTnKCTYh-X5ee52UhIPI
Are there any log files that I can check to determine what’s causing the failure of LE to verify the URL regardless of firewall setting?
I decided to utilize h://www.sslforfree.com which delegates to Let’s Encrypt for the cert creation. I then used the manual upload feature of FreePBX to upload the certificate. The odd thing is that Let’s Encrypt successfully reached my FreePBX server to validate the ownership, but the automated process built into FreePBX does not complete successfully regardless of firewall status. If I knew which logs to check I could provide additional info.
I also have this “token not available” error.
Checked httpd logs and only see a request from 199.102.239.170 which is freepbx.org IP and no requests from letsencrypt.
Just wanted to thank you, this was my issue too! As soon as I put the Hostname in SysAdmin to be the same thing as the Hostname in LetsEncrypt creation, it all worked perfectly!
I’m not sure why setting the hostname worked then. I checked permissions, updated modules, messed with the router, did a pcap on port 80, everything seemed to check out. When I changed the hostname it worked first try, super easy, no issues, no other changes.
Hot dang !! Well what do you know, this worked for me as well. I have been mucking around for ages troubleshooting this, THANK-YOU !!
My configuration is:
I have a hostname.domain.com that will resolve to the public IP of the company Firewall
the company firewall allows the various letsencrypt/freepbx hosts through via a port forward to the PBX (port 80)
the PBX firewall also allows the various letsencrypt/freepbx hosts through
I could bring up the generated token via http from several outside locations but it was still failing with the “token not available” error.
A quick change of the host name from the default uc-XXXXXXXXX to my hostname.domain.com
and voila. worked first try. now I am curious as to the actual mechanics of why this works. interesting
Could one of you that found this facile submit a Feature Request to make sure the hostname in the LE cert is set to the same host as identified by @jpaquin or at least resolve this in software. I understand it’s an easy fix, but there should be a way to make this work automatically.
The “token not available” message occurs when the Lescript.php library does a self test and tries to download the token locally.
If curl http://your.letsencrypt.fqdn/robots.txt fails at the server console or an ssh session, then LetsEncrypt will fail. Almost always a result of internal dns not properly resolving the fqdn and/or the router/firewall not supporting “nat loopback.”
It’s not really necessary to change the hostname as long as the dns issue is fixed. Add the fqdn to the internal dns or the server’s /etc/hosts file.