LetsEncrypt Generation Failure


(Nico) #1

Hello,
I have a problem and I am at the end of my knowledge. I have already read all the threads about it but can not find a solution.
I currently have a Lets Encrypt certificate which will expire soon. But I can not update it because I always get the error.

Self test error: Pest_Curl_Exec - Connection timed out after 5000 milliseconds Does DNS for sub.domain.de resolve correctly? Local DNS result: xxx.xxx.205.109, External DNS result: xxx.xxx.205.109 Processing:sub.domain.de, Local IP: xxx.xxx.205.109, Public IP: xxx.xxx.205.109 Self test: trying http://sub.domain.de/.freepbx-known/ebd7d59be15252d963ef8ffc30bb770e Self test error: Pest_Curl_Exec - Connection timed out after 5000 milliseconds

In pfSense I have already tested everything, I can access the Admin Portal, UCP etc. via the new subdomain, also the address is resolved correctly, because I have entered an A-record at the DNS provider. I have disabled the firewall, disabled responsive firewall, also I tried to update the certmanager via edge but it is up to date (15.0.43). The port for LetsEncrypt is also enabled and in the firewall the responsive LetsEncrypt rules are also enabled. Everything does not work, now I need your help.

PBX Version:15.0.17.43
PBX Distro:12.7.8-2107-3.sng7
Asterisk Version:16.9.0

so long


(Franck Danard) #2

Hi

Your system must be access to the WAN and you must redefine your ports for HTTP and set port 80 for LE (Sysadmin, port management). Configure your FreePBX firewall to enable LE in Advanced settings under Firewall menu.


#3

“pfSense Configuration Recipes — Accessing Port Forwards from Local Networks | pfSense Documentation” https://docs.netgate.com/pfsense/en/latest/recipes/port-forwards-from-local-networks.html


(Nico) #4

Hi,

thx for answer but where i have to rebuild the ports? Here are my settings,

My machine is accessable from outside. I can reach every port 8080, 81, 84 etc. The DDNS is showing me the right external IP. :thinking:

greetings


(Franck Danard) #5

I think your system must get access for port #80 as well


(Nico) #6

Port 80 is open and forwarded to the machine.


(Franck Danard) #7

And what about :


(Nico) #8

Its enabled i can not do more?!


(Lorne Gaetz) #9

You will get verbose output from the command line if you do:

fwconsole cert --updateall

#10

That doesn’t make it accessible from the machine itself. See my previous post. If you believe that this isn’t your issue, confirm or refute it by testing with curl or wget.


#11

Post results of:

echo -e "\n\nthis is a test...\nthis is only a test.\n\n" > /var/www/html/.freepbx-known/test
curl http://sub.domain.de/.freepbx-known/test

The current LE library does a self-test. It’s a third party library the FreePBX devs are not likely to be modifying.

The machine must be accessible from itself by it’s own DNS name.

This is almost always an internal vs external DNS issue and/or a NAT loopback (reflection in pfsense jargon) issue.

Easiest fixes are enabling loopback at the router, or adding the dns name to the machines hosts file pointing it to the local ip or localhost. I think either is hack-ish, but they get the job done.


(Nico) #12

Hi,

Thanks for your tips I have now figured out what the problem was.

  1. in PfSense I switched to PureNAT, so the test folders were accessible from outside.
    But a certificate was still not created, it came again and again the same error message. You already said that it is an internal DNS problem on the machine.
  2. i changed the host name to certifcate host name and voila at first go i got the new certificate.

I don’t know if this is intentional, but for me it doesn’t make sense to run a server that is only available internally and has a different domain structure, but I have to use a hostname for the external domain. With Synology this works without any problems.

But well I have solved the problem and will hopefully soon have no more problems, Thanks for all the help.

Greetings


#13

You don’t have to. There are at least four simple fixes:

  1. Your method (the most restrictive) - hostname and cert name match
  2. Add the cert name to the PBX’s hosts file, pointing to the local IP or localhost. This is probably the best option when DNS or Firewall config are problematic or not under the PBX admin’s control.
  3. Properly configured internal DNS
  4. Enable NAT Loopback at the router