So, I am locked out of the admin web page despite restarting the device three times. The firewall is disabled yet I still cannot access. Before this happened, I imported my SSL certificate and key, then saved. Then, I tried installing the certificate…it would not and suggested I import it, which I did, all was well…got the R3. However, I still got unsecured in the browser; so I changed the web admin port from 8080 to 2443. Now when I try to go the page I get: Forbidden
You don’t have permission to access /.noindex.html on this server.
I can ssh in as root…that about it. What could I do there?
I haven’t tried as I didn’t need to…I thought it was three times in 5 minutes…I wished one could make a backup from the GUI by just plugging a USB drive…I am spoilt by Mac awesome GUI going on 35yrs now.
Had you tried it, (you did need to ) you would likely not have had to rebuild everything. If you think FreePBX will ever work in MacOS or Windoze no matter how ‘awesome’ you feel them to be you will be likely be sadly disappointed. But luckily for you, DNS records and IP filtering work much the same in all three.
Linux tools that will help you
whois
netstat
dig
from these you will see that your subdomain is not attached to your domain, but to an AWS instance, so the nollisoftvoipserver needs to resolve to that AWS instance and that instance would need port 80 access unimpeded write access for HTTP-01.
As previously suggested , DNS-01 does not have that limitation and you can then move on with your proxying
By the way, I see Misk.com is your name service but why have you not set up your dns records properly there yet?
Not on the rebuilt however, on the troublemaker, yes several times…I think it had something to do with apache…
nollivoipserver is not resolvable on the web, only locally via SSL/TLS…I purposely wanted it that way and went through a great deal of learning curve to get the Let’s Encrypt certificate. Misk doesn’t support DNS-NSupdate RFC2136 so I switch name server to Cloudflare so I could get the Let’s Encrypt certificate.
As I said, you need to fix that at your nameservice, right now it is Misk.com’s ‘placeholder’. You will need to add an A record (perhaps a CNAME) before you can go further.
DNS records take some time to propagate so substitute 8.8.8.8 and 4.2.2.1 for 1.1.1.1 to use other ‘well known’ resolvers. When they all agree with your AWS address then the acme protocol by any client should work as well as the client is capable of and Amazon’s acceptance of such use.
When you get all that working, acme.sh has a cloudflare dns plugun to make seamless zerossl certs always updated without any sweat and no need for Amazon compliance or firewall rules
But, I don’t want it to resolve…it not intended to be a destination from the world…it only for local use so I could get the certificate for HAproxy as well as FreePBX. The destination is only the phone number.
That’s what I use on pfSense to get the certificate…then import into FreePBX.
then it has by definition an associated domain, and that domain is what the certificate ‘guarantees’ and that is where TLS clients using that certificate will be sent to get such validated service, how do you square that with your requirement that it should not be resolvable ?
I did and awaiting response…meanwhile I share here if it’s an apache or nginx problem…I know it’s been used by apache but recall from the thread where you gave instructions to the person who did not want to leave port 80 open and nginx was mentioned.