Problem with LetsEncrypt


(Tranquil Support) #1

Hey all, so I am getting the following error when trying to set up a letsencrypt certificate.

There was an error updating the certificate: Error ‘Requested host does not resolve to ‘xxx.xxx.xxx.242’ (Resolved to ‘xxx.xxx.xxx.243’ instead)’ when requesting

I am using a PFSense firewall with 1:1 NAT configured on xxx.xxx.xxx.243 which points to the local IP of the FreePBX.
the xxx.xxx.xxx.242 address is the public IP of the PFSense box.

I have confirmed by checking the states and logs in PFSense that PFSense is correctly performing 1:1 NAT on all outbound traffic, however this error still persists. I can reach the PBX from its FQDN and if I perform the letsencrypt manually from command line it works, however I have been doing this for months now as a workaround and keep meaning to raise this issue here.


(Tranquil Support) #2

If I obtain my public IP from command line using dig.(I am unable to post the command used as I am an new user however once this restriction is released I can do so)

xxx.xxx.xxx.243 is correctly returned,

however

curl ifconfig.me (which I understand is what Freepbx uses to obtain the boxes IP) returns

xxx.xxx.xxx.242

I am completely at a loss to understand how it is returning this address, in the firewall states the only thing I can find that looks dubious is as follows.

:46924 -> 127.0.0.1:3128 (216.239.34.21:80) FIN_WAIT_2:FIN_WAIT_2 7 / 6 447 B / 728 B

NB: 216.239.34.21 is the public IP of ifconfig.me

Anyone got any clues???


#3

Despite the 1 to 1 nat (double check that config), pfsense is sending outbound requests from the .242 address. That part is a pfsense issue.

But… the failure of LetsEncrypt with such a config is the FreePBX nanny getting in the way. FreePBX makes some just plain dumb network assumptions. It’s a known issue reported at https://issues.freepbx.org/browse/FREEPBX-21681.

I might post a PR if @kgupta1 or someone at Sangoma can indicate which proposed approach to take. I would just remove the lechecker.php process completely if given a choice.


(Tranquil Support) #4

Ah, I’ve solved my own problem so thought I would post here in case anyone else is experiencing the same problem.

In our case it was our Squid Proxy server which was capturing everything destined to port 80 and representing itself as the public IP of the PFSense. As soon as I whitelisted the IP of the PBX to passthrough the proxy server it immediately started to work again.

I can see a lot of people in bigger networks getting caught out by this, hopefully my experience will be of some assistance to someone else.