Major FreePBX installation issues on Debian 12

venture · August 19, 2025, 6:17pm

When I run:

fwconsole certificates --generate --hostname=pbx.pupcostudios.com [email protected] --type=le --country-code=us --state=Ohio

I receive this in return:

Processing: pbx.pupcostudios.com, Local IP: 127.0.0.1, Public IP: 162.155.181.156
Self test: trying http://pbx.pupcostudios.com/.freepbx-known/696ccc90933f0fdf0610e12ce17bfae1
Self test: received 696ccc90933f0fdf0610e12ce17bfae1
lechecker: Pest_Json_Decode - Decoding error: Syntax error

   ** lechecker: Pest_Json_Decode - Decoding error: Syntax error

LetsEncrypt Update Failure:
Unable to update challenge :: authorization must be pending

venture · August 19, 2025, 9:17pm

I can run this:

echo -e "\n\nthis is a test...\nthis is only a test.\n\n" > /var/www/html/.freepbx-known/test
curl http://pbx.pupcostudios.com/.freepbx-known/test


this is a test...
this is only a test.

I tried updating certman and received this:

certman is the same as the online version, unable to upgrade

I am totally out of ideas. It’s something with FreePBX17 and not my setup. Searching all day gave me no solutions to the above error with Pest_Json_Decode.

kierknoby · August 19, 2025, 10:28pm

The GUI should not be on port 80, that’s needed for Let’s Encrypt and set by you within Admin > System Admin > Port Management. Change the GUI port to 8080 and ensure port 80 is enabled for LE. Update your hostname to the same as your FQDN and follow the steps in 20tele’s YouTube video exactly. Stick to the GUI for this. Most people here have done this certificate creation and updates dozens, hundreds, even thousands of times; it’s highly unlikely to be a FreePBX issue.

venture · August 19, 2025, 11:05pm

Thanks but all of that has been done. FQDN, User Interface on Port 8080, Let’s Encrypt on 80. Have been trying through the GUI all day. I followed the video exactly. - stopped it step by step. And then proceeded. It’s not my configuration. I started trying things though the CLI as a last attempt. You see above I can curl through port 80 that is open for Let’s Encrypt right?

venture · August 19, 2025, 11:09pm

At this point I would almost say reinstall, but I can’t even do that because Sangoma gave me no extra activations when they granted this one. I have a snapshot BEFORE I activated it, but that will do no good either.

venture · August 19, 2025, 11:16pm

This process should take 3 minutes. I also see that there are now two non working PJSIP channels and an IP open that I never opened. which is an additional problem. Script kiddies? I don’t know how they got registered. They’re not in use but shouldn’t be there.

kierknoby · August 19, 2025, 11:29pm

It does usually take 3 minutes. Hopefully someone else can add something to this. There’s a login page on port 80 as far as I can tell, or at least a reachable directory that I won’t post here. You don’t have a straightforward / standard setup that makes it easy to troubleshoot through a handful of forum posts. If you are reinstalling to the same machine, you shouldn’t need to unlock the deployment ID. Sorry, I can’t be of more help and good luck with it. K

EDIT: Deployment ID and licensing are primarily tied to hardware identifiers like the MAC address, and not the IP address.

venture · August 19, 2025, 11:34pm

I get a 403 forbidden error at port 80. No idea what you could access…

venture · August 19, 2025, 11:37pm

What do you mean by this? My IP never changed before, but I did initially deactivate it then this install I hadn’t deactivated the last one and it required reactivation. I thought maybe MAC address would need to be the same too?

BlazeStudios · August 20, 2025, 12:42am

What is the result of this when you run it from the system console?

curl -s https://acme-v02.api.letsencrypt.org/directory | jq .

venture · August 20, 2025, 1:22am

Okay, @kierknoby you tipped me off when you said you found my restreamer server from the external address. So now I have given FreePBX a new external IP, but the only problem is that now the machine won’t change what it thinks the external IP is / (used to be) and therefore fails due to the conflict. I went to Asterisk SIP settings and changed it there, but no help.
This has all been a pfsense goof up…
@BlazeStudios

root@pbx:~# curl -s https://acme-v02.api.letsencrypt.org/directory | jq
-bash: jq: command not found

BlazeStudios · August 20, 2025, 1:25am

Weird, it’s installed on my system. You can do it without the jq . just try curl -s https://acme-v02.api.letsencrypt.org/directory

venture · August 20, 2025, 1:37am

root@pbx:~# curl -s https://acme-v02.api.letsencrypt.org/directory
{
  "49SCOYt6tJw": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "profiles": {
      "classic": "https://letsencrypt.org/docs/profiles#classic",
      "shortlived": "https://letsencrypt.org/docs/profiles#shortlived (not yet generally available)",
      "tlsserver": "https://letsencrypt.org/docs/profiles#tlsserver"
    },
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.5-February-24-2025.pdf",
    "website": "https://letsencrypt.org"
  },
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "renewalInfo": "https://acme-v02.api.letsencrypt.org/acme/renewal-info",
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"

venture · August 20, 2025, 1:42am

I truly think changing FreePBX’s external port is going to resolve this.

venture · August 20, 2025, 2:03am

Then again, I don’t think my configuration is going to work. Despite it working for years before. I’ll look into a bigger IP block so there is not so much NAT and proxying going on and it can have its very own IP. Will report back as soon as possible. Thanks.

kierknoby · August 20, 2025, 7:06am

Edited. Deployment ID and licensing are primarily tied to hardware identifiers like the MAC address, and not the IP address.

shahin · August 20, 2025, 12:14pm

Sorry, I don’t want to cause any confusion here. I didn’t see the information above and just wanted to ask you:
Have you enabled your LE SSL certificate under Admin → System Admin → Port Management → HTTPS Address?

Thank you

Shahin

BlazeStudios · August 20, 2025, 12:19pm

So the PBX is being NAT during all this?

venture · August 20, 2025, 12:49pm

Yes, it was and has been since the initial release of FreePBX17. Worked fine all this time until VoIPo went under and I tried to reconfigure things to work with VoIP.ms. I noticed there were a bunch of connections, dead mind you from outside the network and decided the best approach was to reinstall. Now nothing wants to transverse my external IP. I had no idea that Let’s Encrypt was talking to a Restreamer server and not FreePBX; hence the okay reports from Let’s debug.

I did A LOT of testing before setting this up to make sure FreePBX was available properly on the Internet and was finally satisfied everything was done properly. But… Something is majorly wrong, I can’t use that external IP for anything now and FreePBX is all that resides on it, so I am baffled by that.

BlazeStudios · August 20, 2025, 12:59pm

You need to be more specific with a statement like this. What do you mean you can’t use the external IP for anything? Is it a static IP?