Letsencrypt Creation Problem


#1

I’m having trouble creating a new letsencrypt certificate. I actually had a certificate but deleted it when I was having the same trouble updating it.

This is a new install. I have the firewall set up. I have port 80 forwarded to my PBX machine in the router, and this has been working in the past so I don’t think this is the problem. It looks to me like i get the token. I see the following error message:

Getting list of URLs for API
Requesting new nonce for client communication Account already registered.
Continuing.
Sending registration to letsencrypt server
Sending signed request to https://acme-v02.api.letsencrypt.org/acme/new-acct Account: https://acme-v02.api.letsencrypt.org/acme/acct/46671200
Starting certificate generation process for domains Requesting challenge for freepbx.jfervin.dyndns.org Sending signed request to https://acme-v02.api.letsencrypt.org/acme/new-order
Sending signed request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/8517817120
Got challenge token for freepbx.jfervin.dyndns.org Token for freepbx.jfervin.dyndns.org saved at /var/www/html/.well-known/acme-challenge/-filename- and should be available at http://freepbx.jfervin.dyndns.org/.well-known/acme-challenge/-filename-

So it looks like I have the token in the acme-challenge subdirectory, but at the end, the Cert manager says:

There was an error updating the certificate: Please check http://freepbx.jfervin.dyndns.org/.well-known/acme-challenge/-filename- - token not available

But, like I said, there is a file with that name in the subdirectory. The subdirectory has 755 and the files have 644 bits set. so things should be able to read them.

Suggestions? I just installed this system 2 days ago.

FreePBX 15.0.16.78 (on dashboard)
Certman 15.0.34
Firewall 15.0.6.34
Current Asterisk Version: 16.13.0


#2

So, it seems like the token is there in a subdirectory on the FreePBX system, and the certman doesn’t seem to be able to see or get it somehow. I think I have the firewall setup in the standard way, port 80, letsencrypt rule enabled in firewall advanced settings, http is set to a different port. But evidently, it’s not the firewall and it’s not the port since I have the file in the subdirectory. weird.


(Jared Busch) #3

Log in to the console and stop the firewall

fwconsole firewall disable

Then try to get the cert. If it works, then you know there is a problem with the firewall.
If it still fails, then there is a problem someplace else.


#4

Had no affect. I’m really not a guru with the certificate / certman system on FreePBX.


(Bob Reiber) #5

I’m not sure why there is a delay but sometimes I’ve had to wait a few minutes after disabling the firewall before I could generate a certificate. If you did it seconds after disabling the firewall maybe try it again.


(Jared Busch) #6

I’ve not had that problem if I use the disable command. But the stop command seems to not always stay stopped.


#7

A disable/stop should be almost immediate now.


#8

There’s an every 15 minute cron job that will restart a stopped but not disabled firewall.


#9

Does the host name “freepbx.jfervin.dyndns.org” resolve to the internal IP from inside the LAN? If not, does the router support loopback?

If no to either, try adding the fqdn to /etc/hosts as:

127.0.0.1 freepbx.jfervin.dyndns.org