New install, LetsEncrypt setup issue

(this is a separate install from the one I posted about a couple hours ago, that one is still dead with a kernel panic at install)

Installed from SNG7-FPBX-64bit-2002-2.iso

LetsEncrypt cert request gets to “verification pending” step, sleeping 1s and repeats that until it times out.

“There was an error updating the certificate: Verification timed out”

The file is in the acme-challenge dir and I can browse to it.

Have allowed the four FQDNs specified through the firewall on port 80 to FreePBX (port address translation). I’ve also briefly tried allowing all external IPs through on 80, same result.

Certificate Manager is 15.0.21

At the firewall I do see inbound attempts on port 80 during this process. Some are allowed and some are blocked. It seems like maybe the FQDN list is incomplete. But again, allowing all did not resolve the problem.


After an fwconsole chown and allowing all inbound on port 80 we got a cert.

Seems to indicate a perms issue with the default install and missing hosts in required list:


To use Let’s Encrypt, you need to allow outbound port 443 traffic from the machines running your ACME client. We don’t publish the IP ranges for our ACME service, and they will change without notice.

We don’t block anything outbound. It’s inbound connections on port 80 that I’m seeing blocked, even with the four FQDNs allowed.


. . . .We don’t publish the IP ranges for our ACME service, and they will change without notice.

If you have one of 100 or so DNS services then

will save all sorts of frustraion. and not need any firewall thingies as you can use DNS verification instead of HTTP, so no access to your webserver is necessary

I am endeavoring to be compliant to avoid non-compliance being blamed for issues.

With respect, that is incorrect, LetsEncrypt does NOT require that, in fact, as I posted , they actually dis-require it and require instead that you will arbitrarily accept their ‘challenge’ from any “unpublished” IP.

So the FreePBX code is in fact non-compliant :wink: .

All the acme clients I have looked at have ‘hooks’ whereby you can disable the firewall as necessary for updates to be enabled. Using your DNS service instead is patently safer

1 Like

I could tell you how criticizing FreePBX code has gone for me in the past. I’ll sum up with “poorly”.

I don’t doubt the accuracy of your assertion one bit. And I have been castigated for simply installing WebMin in the past, so tweaking the system is something I am very reticent to do.

Is turning off your firewall manually every couple of months if necessary something you are reticent to do?

I’m not saying that the challenges WON’t come from what Sangoma has edicted, I AM saying that LetsEncrypt wholeheartedly disagree :wink:

Confirmed, the note is stale. The challenge can come from anywhere.

Thank you, Lorne. I see that this was opened about 18 months ago. What is the recommended procedure now to obtain and renew Let’s Encrypt certs?

Port 80 open to world, ideally dedicated to LE renewal.


If this is a problem for you, you have (non free) options for TLS certs.

1 Like

The renewal process runs in crontab.

An iptables insert before the task and a delete afterward would open the port only for the amount of time needed to do the renewal.

Alternatively configure Apache only to serve the acme stuff on port 80 and nothing else (what Lorne suggested).

Don’t be afraid to get your hands dirty

1 Like

If you use one of these 100 ‘name services’

then you won’t ever need to change iptables if you care to “get your hands slightly grimy” with

(they are not the same link)

1 Like

Does dedicating port 80 to LetsEncrypt and setting Internet access enabled in the firewall not suffice?

Well, on the surface, that would sound fine, BUT, the very nature of LetsEncrypt HTTP-01 “Challenge” type is that it needs to write to your server. now true the write will be only to _acme_challenge* , so it is up to you to only accept challenges ‘when expected’ for such writes from anyone, similarly you would need to restrict by content that ‘write’

So approving anyone carte-blanche write access to your server and blindly thinking that ‘that’s ok’ we will consider trying to limit it by name, content or source (call that a firewall) has shown in the past to be ‘not a good idea’ .

Of the current ‘challenges’ accepted apart from that one, TLS-ALPN-01 is not mature enough, but DNS-01 is and easily automated, it doesn’t touch your system in any way and is likely already approved and provided for by your “name-service”

(Never think anyone here is cleverer than the often state funded ‘knuckle-draggers’ we are up against. :wink: )

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.