LetsEncrypt: "There was an error updating the certificate: Verification timed out"

Can’t renew LetsEncrypt cert.

outbound1 . letsencrypt . org, outbound2 . letsencrypt . org, mirror1 . freepbx . org, mirror2 . freepbx . org are excluded in the Firewall. (Sorry for dumb formatting, new users can’t put links in posts.)

Ran a packet capture whilst requesting the cert. It gets all the way to the acme challenge from remote servers. My server sends back a 200 OK.

Then I see a BUNCH of SYNs from the same servers that my server never respond to. The remote servers keep retransmitting the SYNs, but after awhile, seeing that I’m not responding, they give up.

I’m very confused. Sadly I don’t know where I can even look at logs to see what’s happening.

There are other threads here. The LE validation can come from anywhere now, the only reliable way is to dedicate port 80 to LE renewal, and open it to the world.

Ok so if I change my Admin port to, let’s say 8080 (in the port management menu in the System Admin module), it would be “safe” to open port 80 in the firewall since my web interface is no longer on port 80 ?

I will not say if it’s safe or not. I will say that’s what I do on my own system and I sleep fine at night. With port 80 dedicated to LE, the only thing accessible to the 'net is the LE verification string, and only if you know the filename. It does advertise the existence of a service on 80 which could theoretically be leveraged for a DOS.


Ok I understand.
Here’s what I just did (it seems to work):
In system admin, Port Management
Assigned port 8080 to Admin and Port 80 to Let’s Encrypt
In the Firewall, Services, Assigned Lets Encrypt to the Internet Zone.
I was then able to generate the LE certificate.
I will monitor all my other system to check if the have issues with the renewal of certificates. I they do have issues, I will apply the same changes.

1 Like

Are you switching the ports back after successfully generating the certificate or leaving it as is?

@sangoma , Every other acme client has a “renew hook” which is commonly used to open up a pinhole on your firewall for a minute or so every two months if you are limited to HTTP-01 challenges. Why should the FreePBX one not add that post-haste ?

1 Like

Another take for the rightfully wary, You all have a DNS name you are paying for, right?

How much? For around $10/yr , Cloudflare, NameCheap and a couple of others will service you nicely, with the added benefit of using DNS-01 challenges for your LetsEncrypt certs which require no access to your server, ever!, just backend privileged acess to your Name servers API tokens.

in his words , it takes 3 minutes to learn. Certs are issued quietly in the backgound and with a liitle extra ‘one time effort’ you can “install/deploy” against Apache2 (Debian) ,HTTPD (Centos), Asterisk (all of us) FreePBX’ “fwconsole certificates” and anything else you need TLS for.


This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.