Locked Out of Admin Web Page

So, I am locked out of the admin web page despite restarting the device three times. The firewall is disabled yet I still cannot access. Before this happened, I imported my SSL certificate and key, then saved. Then, I tried installing the certificate…it would not and suggested I import it, which I did, all was well…got the R3. However, I still got unsecured in the browser; so I changed the web admin port from 8080 to 2443. Now when I try to go the page I get: Forbidden

You don’t have permission to access /.noindex.html on this server.

I can ssh in as root…that about it. What could I do there?

It was better and faster to just reinstall the whole thing…configure later. The firewall should have an anti-lockout…really finicky!

It does, it is called ‘safe mode’

Firewall - PBX GUI - Documentation.

Safe mode was enabled if that’s the anti-lock out…didn’t work for unknown reason(s).

did you reboot twice within 5 minutes on the system you apparently destroyed?

Now you have rebuilt everything, does it now work after rebooting twice in the stated time frame?

I haven’t tried as I didn’t need to…I thought it was three times in 5 minutes…I wished one could make a backup from the GUI by just plugging a USB drive…I am spoilt by Mac awesome GUI going on 35yrs now.

Had you tried it, (you did need to :slight_smile: ) you would likely not have had to rebuild everything. If you think FreePBX will ever work in MacOS or Windoze no matter how ‘awesome’ you feel them to be you will be likely be sadly disappointed. But luckily for you, DNS records and IP filtering work much the same in all three.

Linux tools that will help you

whois
netstat
dig

from these you will see that your subdomain is not attached to your domain, but to an AWS instance, so the nollisoftvoipserver needs to resolve to that AWS instance and that instance would need port 80 access unimpeded write access for HTTP-01.
As previously suggested , DNS-01 does not have that limitation and you can then move on with your proxying

By the way, I see Misk.com is your name service but why have you not set up your dns records properly there yet?

Not on the rebuilt however, on the troublemaker, yes several times…I think it had something to do with apache…
nollivoipserver is not resolvable on the web, only locally via SSL/TLS…I purposely wanted it that way and went through a great deal of learning curve to get the Let’s Encrypt certificate. Misk doesn’t support DNS-NSupdate RFC2136 so I switch name server to Cloudflare so I could get the Let’s Encrypt certificate.

As I said, you need to fix that at your nameservice, right now it is Misk.com’s ‘placeholder’. You will need to add an A record (perhaps a CNAME) before you can go further.

Did that at Cloudflare since they imported the file.

Apparently not working though.

So what file did cloudflare import?

I got the certificate so it must have updated the record at Cloudflare…I guess.

Not enough you need DNS resolution also , use dig to do that and dig it using the cloudflare name server 1.1.1.1

dig A @1.1.1.1 nollivoipserver.nollisoft.com

(or whatever)

DNS records take some time to propagate so substitute 8.8.8.8 and 4.2.2.1 for 1.1.1.1 to use other ‘well known’ resolvers. When they all agree with your AWS address then the acme protocol by any client should work as well as the client is capable of and Amazon’s acceptance of such use.

When you get all that working, acme.sh has a cloudflare dns plugun to make seamless zerossl certs always updated without any sweat and no need for Amazon compliance or firewall rules

But, I don’t want it to resolve…it not intended to be a destination from the world…it only for local use so I could get the certificate for HAproxy as well as FreePBX. The destination is only the phone number.

That’s what I use on pfSense to get the certificate…then import into FreePBX.

Then I can’t help you further, acceptable certs are public knowledge and of course the domain must be resolvable to provide service (duh!!) .

Finding a client that will accept a self signed certificate in 2022 will be hard

HAProxy should be able to consume self signed certs, but completely defeats its intention.

So good luck in your progression, you probably need a completely new compass though.

It’s not self-signed…it’s a genuine Let’s Encrypt certificate using Acme on pfSense.

then it has by definition an associated domain, and that domain is what the certificate ‘guarantees’ and that is where TLS clients using that certificate will be sent to get such validated service, how do you square that with your requirement that it should not be resolvable ?

Yes, it associated with nollicomm.net, a non-hosted registered domain and will validated by pfSense local DNS service…pfSense® software Configuration Recipes — Configuring DNS over TLS | pfSense Documentation look at the bottom of the page, although I am having problems getting it to work…see here: SSL/TLS For Local Domain Not Resolving

You should probably take this to the pfsense fora as it is probably at best an ‘edge case’ here.

I did and awaiting response…meanwhile I share here if it’s an apache or nginx problem…I know it’s been used by apache but recall from the thread where you gave instructions to the person who did not want to leave port 80 open and nginx was mentioned.