Letsencrypt Creation Problem

jervin · November 11, 2020, 6:41pm

I’m having trouble creating a new letsencrypt certificate. I actually had a certificate but deleted it when I was having the same trouble updating it.

This is a new install. I have the firewall set up. I have port 80 forwarded to my PBX machine in the router, and this has been working in the past so I don’t think this is the problem. It looks to me like i get the token. I see the following error message:

Getting list of URLs for API
Requesting new nonce for client communication Account already registered.
Continuing.
Sending registration to letsencrypt server
Sending signed request to https://acme-v02.api.letsencrypt.org/acme/new-acct Account: https://acme-v02.api.letsencrypt.org/acme/acct/46671200
Starting certificate generation process for domains Requesting challenge for freepbx.jfervin.dyndns.org Sending signed request to https://acme-v02.api.letsencrypt.org/acme/new-order
Sending signed request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/8517817120
Got challenge token for freepbx.jfervin.dyndns.org Token for freepbx.jfervin.dyndns.org saved at /var/www/html/.well-known/acme-challenge/-filename- and should be available at http://freepbx.jfervin.dyndns.org/.well-known/acme-challenge/-filename-

So it looks like I have the token in the acme-challenge subdirectory, but at the end, the Cert manager says:

There was an error updating the certificate: Please check http://freepbx.jfervin.dyndns.org/.well-known/acme-challenge/-filename- - token not available

But, like I said, there is a file with that name in the subdirectory. The subdirectory has 755 and the files have 644 bits set. so things should be able to read them.

Suggestions? I just installed this system 2 days ago.

FreePBX 15.0.16.78 (on dashboard)
Certman 15.0.34
Firewall 15.0.6.34
Current Asterisk Version: 16.13.0

jervin · November 12, 2020, 9:32pm

So, it seems like the token is there in a subdirectory on the FreePBX system, and the certman doesn’t seem to be able to see or get it somehow. I think I have the firewall setup in the standard way, port 80, letsencrypt rule enabled in firewall advanced settings, http is set to a different port. But evidently, it’s not the firewall and it’s not the port since I have the file in the subdirectory. weird.

sorvani · November 12, 2020, 9:50pm

Log in to the console and stop the firewall

fwconsole firewall disable

Then try to get the cert. If it works, then you know there is a problem with the firewall.
If it still fails, then there is a problem someplace else.

jervin · November 12, 2020, 9:56pm

Had no affect. I’m really not a guru with the certificate / certman system on FreePBX.

bksales · November 12, 2020, 10:29pm

I’m not sure why there is a delay but sometimes I’ve had to wait a few minutes after disabling the firewall before I could generate a certificate. If you did it seconds after disabling the firewall maybe try it again.

sorvani · November 12, 2020, 10:40pm

I’ve not had that problem if I use the disable command. But the stop command seems to not always stay stopped.

jerrm · November 12, 2020, 10:47pm

A disable/stop should be almost immediate now.

jerrm · November 12, 2020, 10:49pm

There’s an every 15 minute cron job that will restart a stopped but not disabled firewall.

jerrm · November 12, 2020, 11:02pm

Does the host name “freepbx.jfervin.dyndns.org” resolve to the internal IP from inside the LAN? If not, does the router support loopback?

If no to either, try adding the fqdn to /etc/hosts as:

127.0.0.1 freepbx.jfervin.dyndns.org

system · June 3, 2021, 10:58pm

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.