LetsEncrypt debug needed

I have a double NAT setup. ports are forwarded correctly. Canyouseeme.com shows port 80 open when I try to do lets encrypt.
I have a FQDN which is a subdomain that correctly points to the FreePBX system UC40.
I was able to get this working ONCE in April 2020, and never again. All the same hardware and ISP.
I was not able to renew. I can never generate a certificate with this freepbx gui. I watched videos from crosstalk solutions, read all the info I could get my hands on, but I cannot find out why it times out.
now, when I try to generate a certificate and the system takes about 5 minutes before it times out.
How can I view the reasons for the time out? any debug?

I generated a REAL SSL certificate with a private key.
I copy and paste to the import certificate in FreePBX but I dont know how to generate the rest of the information for keys and so I go back to letsencrypt

My DNS A RECORD points to my PBX system, but browsers usually flag it as not secure and wont let me open, with chrome, i can bypass that message.
subdomain.domain.com my subdomain is my internal IP address, my domain is set to my ISP external IP address . I dont think i would have my subdomain set as my first NAT ip address that is forwarding all info to the second pfsense system.

https://dnschecker.org/ for the subdomain shows the internal network address for the UC40
the domain shows the external ISP internet ip address. is this the way?

LetsEncrypt Generation Failure

JWS has an invalid anti-replay nonce: "0101t38DHq6w4JpDUgXXXXXXXXXXXXXXXXXXXXXXXX"

  • Requested host ‘subdomainXX.DomainXX.com’ does not resolve to ‘ISP IP ADDRESS’ (Resolved to ‘192.168.1.XXX’ instead)

Processing: subdomainXX.DomainXX.com, Local IP:, Public IP: 192.168.1.XXX Self test: trying http://subdomainXX.DomainXX.com/.freepbx-known/72de79daXXXXXXXXXXXXXX Self test: received 72de79daXXXXXXXXXXXXXX Requested host ‘subdomainXX.DomainXX.com’ does not resolve to 'ISP IPADDRESS ’ (Resolved to ‘192.168.1.XXX’ instead) Getting list of URLs for API Requesting new nonce for client communication Account already registered. Continuing. Sending registration to letsencrypt server Sending signed request to https://acme-v02.api.letsencrypt.org/acme/new-acct

Is there anyone that knows how to troubleshoot letsencrypt with Freepbx? I am able to get it to work with pfsense, qnap devices, and other devices. It worked before they changed the letsencrypt default ip addresses

I’ve watched all the videos, read all the guides. I cannot figure this out. I even paid crosstalk solutions to help me a year ago, but the person was not able to figure out why it would not register, hours of troubleshooting with them. Is there someone out there smart enough to figure out this issue?

any thoughts?

Just to be sure:

Your have domain.xyz which is pointing to your Public IP-Address?

And subdomain.domain.xyz which is pointing to your local PBX IP?

If yes there are 2 Options:

  1. Point your subdomain.domain.xyz to your public IP as well and use local DNS rewrites
  2. Use the DNS-Challenge and create a wildcard certificate (idk if FreePBX supports it

Thank you for this reminder! :slight_smile:

“Apache” + “Ubuntu 20” for me. Did you try?

x x x x
I also looked at these pages:
With Apache: How To Secure Apache with Let's Encrypt on Ubuntu 20.04 | DigitalOcean

With Nginx: How To Secure Nginx with Let's Encrypt on Ubuntu 20.04 | DigitalOcean

x x x x x x
Where to add server name.

[email protected]:/etc/apache2/sites-available$ cat pangolin.“something”.com.conf

Hello world! :slight_smile:
I’ve read your post again and I installed the certificate successfully yesterday only with some minor hazzle…! It was fairly straingt forward with little interaction, for a change!

I never came to your issues… My set uo is Ubuntu 20.04 + Apache. You don’t write about your set up.

I’ve documented my work, my set-up. Try the link to Certbot.

So my subdomain now has two a records that points to the isp ip address and the pbx ip address and the domain a record points to the isp ip address. this still made the install hang. for pfsense I did an nmap for my pbx ip address, and the ports are open. I log into my device using the subdomain instead of the ip address, and also set my host name to the same name. it just hangs. so i dont see any other way than to have my subdomain point to my pbx and my domain point to my isp since I cannot access the gui with my subdomain if I dont point it correctly.

I have some old keys in ls -lash /etc/asterisk/keys/

from the first time i had a LE cert in April 2020
I have a self signed cert i did with following

And I have tried to create LE certificates with Certbot but i need to import them and i dont have a passphrase. i followed these instructions FOOD FOR THOUGHT - Enable HTTPS with Let's Encrypt | Page 2 | The VoIP-info Forum
but perhaps I need to delete the old certificates that dont show in the GUI as they may be interfering with LE generation with GUI.
what commands to use to remove keys one by one?
I can first remove my self signed key via gui since UCP or ZULU wont work anyway with that. the rest of the keys are only seen via ls -lash /etc/asterisk/keys/ , but how to delete them?

ls -lash /etc/asterisk/keys/
4.0K drwxrwxr-x. 5 asterisk asterisk 4.0K Dec 19 21:21 .
12K drwxrwxr-x. 5 asterisk asterisk 8.0K Dec 16 20:54 …
0 drwxr-xr-x 2 asterisk asterisk 43 Apr 11 2020 _account
4.0K -rw------- 1 asterisk asterisk 1.7K May 29 2020 api_oauth.key
4.0K -rw------- 1 asterisk asterisk 451 May 29 2020 api_oauth_public.key
4.0K -rw-rw-r-- 1 asterisk asterisk 1.7K Apr 7 2020 Glendale.key
0 drwxrwxr-x. 2 asterisk asterisk 71 Dec 16 17:36 integration
4.0K -rw-rw-r-- 1 asterisk asterisk 1.7K Nov 2 2020 mecert.key
4.0K -rw-rw-r–. 1 asterisk asterisk 1.0K Dec 16 17:36 .rnd
4.0K -rw-rw-r-- 1 asterisk asterisk 1.7K Nov 2 2020 securesipcert.key
0 drwxrwxr-x 2 asterisk asterisk 113 Apr 12 2020 subdomain.domain.com
4.0K -rw------- 1 asterisk asterisk 3.4K Dec 19 21:21 SSLCert-ca-bundle.crt
4.0K -rw------- 1 asterisk asterisk 1.8K Dec 19 21:21 SSLCert.crt
8.0K -rw------- 1 asterisk asterisk 5.2K Dec 19 21:21 SSLCert-fullchain.crt
4.0K -rw------- 1 asterisk asterisk 1.7K Dec 19 21:21 SSLCert.key
8.0K -rw------- 1 asterisk asterisk 6.8K Dec 19 21:21 SSLCert.pem

How do I delete keys, what command should I use. I would just delete the keys that don’t show up in the GUI. I think this is preventing a new LE to register

deletion of old keys needed. what should I do?

fwconsole certificates --updateall


fwconsole certificates --list


fwconsole certificates --delete=n

then, if needed

fwconsole certificates --default=n

there were keys in this folder that did not show up in the GUI
ls -lash /etc/asterisk/keys/

so then i ran the command rm /etc/asterisk/keys/filenameofoldKEY.key
to delete old files from 2020 that worked back then, but somehow at the 2 month point, the LE cert would not renew. So I figured that was causing it to not work.
on a new install what files and directories should show up in the asterisk/keys directory?
The only Error I am getting is that its not resolving to my ISP IP address and instead resolving to my local pbx address.
JWS has an invalid anti-replay nonce: "0002q6xqUJF9GMnpyFpHwlvHSDm4X_kTCiFLNf2z6A9a2ls"

  • Requested host ‘subdomain.domain.com’ does not resolve to ‘ISPAddress’ (Resolved to ‘192.168.1.X’ instead)

i am searching the internet trying to find a solution. SOLVED - Let's Encrypt Issue | The VoIP-info Forum

is there a guide on using certbot to create acme certificate with freepbx? step by step without missing steps?

I watched this video. I created the .pem files
I copied the .pem files to my asterisk/keys/ folder
How do I get freepbx to import thse pem files to create a certificate.
Also for some reason when i copied the .pem files, they are now red.
ls -l shows this
cert.pem → …/…/archive/subdomain.domain.com/cert1.pem
but its in red. if its archived, then why not a .tar file?

try using the format of whatever.name.com.key and whatever.name.come.cert ( not *.pem)

certbot creates *.pem files how can i use those with freepbx. I can run certbot with no issues, just like the above video. its the integrated LE GUI module that seems to not work for my UC40 box.

Rename them, cp them to /etc/astersk/keys and import them as above.

Best all done in the certbot deploy-hook script.

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.