letsEncrypt Generation problem

Hello everyone who can help me?
I have a problem generating an ssl certificate.

Error shows that you have DNS set incorrectly.

It won’t work if DNS points to an internal IP address.

1 Like

I use a virtual machine on vmware and I pointed the domain to the static address of the freepbx server can you help me please

As I told you.

$ dig +short pbx1.newtechsn.com. a
192.168.1.24

It will not work with the DNS pointing to a private IP address.

What solution do you propose me?

Point the DNS to a public address that is routed to the server used for validation.

Ok thank you I will try it again

There are more competent solutions for no cost SSL Certification that doesn’t need FreePBX nor their ancient and broken Acme client to be involved, no firewall nor httpd rules either,
In my case

it just works and I have previously posted the FreePBX recipe :wink:

When I point to the public address it takes me to the administration inside of my internet router

Thank you

However you get you certification, you will need to use the FreePBX fwconsole ‘certificates’ interface to remove old shit, import your working ones and then set that as the default, after that, disable/delete the whole FReePBX certification module, that will successfully set your /etc/asterisk/keys and/etc/asterisk/keys/integrations having previously set acme.sh to post-install the key and cert to /etc/asterisk/keys

There are over 100 supported name servers that can use the DNS protocol over HTTP you probably use one of them already

Ok thank you I will try it

Seems like you need to read up on NAT and port forwarding. You’ll need to port forward appropriate ports for your environment from your router/firewall to allow traffic to hit your phone system. This includes Let’s Encrypt validation requests and inbound calls from your SIP trunk provider (if you are using a SIP trunk provider upstream).

Not if you use the DNS protocol I suggest you try it. (or carry on beating a dying horse :wink: )

Native Certificate module doesn’t support DNS verification and from the broader context of questions being asked here by the OP it seems like deploying custom certificate management facilities would be outside the skill set of the OP.

Maybe I am making a bunch of unwarranted assumptions here but I thought figuring out NAT and port forwarding might be an easier topic to handle as they will have to figure that part out if they plan on being able to answer incoming calls on this phone system anyway.

Exactly, the native acme client is not very competent even to successfully applying a valid SSl certificate using the HTTP protocol so is also currently outside the skill set of FreePBX itself :wink:

I’m confident that this OP will be able to fix it and be very happy with using the DNS protocol, @dobrosavljevic maybe you should try it yourself :wink: