(this is a separate install from the one I posted about a couple hours ago, that one is still dead with a kernel panic at install)
Installed from SNG7-FPBX-64bit-2002-2.iso
LetsEncrypt cert request gets to “verification pending” step, sleeping 1s and repeats that until it times out.
“There was an error updating the certificate: Verification timed out”
The file is in the acme-challenge dir and I can browse to it.
Have allowed the four FQDNs specified through the firewall on port 80 to FreePBX (port address translation). I’ve also briefly tried allowing all external IPs through on 80, same result.
Certificate Manager is 15.0.21
FreePBX 15.0.16.44
At the firewall I do see inbound attempts on port 80 during this process. Some are allowed and some are blocked. It seems like maybe the FQDN list is incomplete. But again, allowing all did not resolve the problem.
Aha.
After an fwconsole chown and allowing all inbound on port 80 we got a cert.
Seems to indicate a perms issue with the default install and missing hosts in required list:
To use Let’s Encrypt, you need to allow outbound port 443 traffic from the machines running your ACME client. We don’t publish the IP ranges for our ACME service, and they will change without notice.
. . . .We don’t publish the IP ranges for our ACME service, and they will change without notice.
If you have one of 100 or so DNS services then
will save all sorts of frustraion. and not need any firewall thingies as you can use DNS verification instead of HTTP, so no access to your webserver is necessary
With respect, that is incorrect, LetsEncrypt does NOT require that, in fact, as I posted , they actually dis-require it and require instead that you will arbitrarily accept their ‘challenge’ from any “unpublished” IP.
So the FreePBX code is in fact non-compliant .
All the acme clients I have looked at have ‘hooks’ whereby you can disable the firewall as necessary for updates to be enabled. Using your DNS service instead is patently safer
I could tell you how criticizing FreePBX code has gone for me in the past. I’ll sum up with “poorly”.
I don’t doubt the accuracy of your assertion one bit. And I have been castigated for simply installing WebMin in the past, so tweaking the system is something I am very reticent to do.
Well, on the surface, that would sound fine, BUT, the very nature of LetsEncrypt HTTP-01 “Challenge” type is that it needs to write to your server. now true the write will be only to _acme_challenge* , so it is up to you to only accept challenges ‘when expected’ for such writes from anyone, similarly you would need to restrict by content that ‘write’
So approving anyone carte-blanche write access to your server and blindly thinking that ‘that’s ok’ we will consider trying to limit it by name, content or source (call that a firewall) has shown in the past to be ‘not a good idea’ .
Of the current ‘challenges’ accepted apart from that one, TLS-ALPN-01 is not mature enough, but DNS-01 is and easily automated, it doesn’t touch your system in any way and is likely already approved and provided for by your “name-service”
(Never think anyone here is cleverer than the often state funded ‘knuckle-draggers’ we are up against. )