So I entered our state, changed the challenge over to HTTPS and clicked update. After a long pause I got an error,
“There was an error updating the certificate: couldn’t connect to host”
Also my firewall log was showing several failures to port 80 (even though i had selected https for the challenge over)
For the heck of it i permitted http to pass through the firewall to the freepbx server
Set the state back to texas, changed the challenge over to HTTPS and hit update, this time after no delay I got the error
“There was an error updating the certificate: 403 Forbidden Forbidden You don’t have permission to access /.freepbx-known/0b1eb3b5932bdb5d197915b5eb15703e on this server. Apache/2.2.15 (CentOS) Server at voice.agrilife-dallas.center Port 80”
I repeated, entered the state, selected HTTP and then hit update but got the same error,
“There was an error updating the certificate: 403 Forbidden Forbidden You don’t have permission to access /.freepbx-known/865826b4bcfdef5888745fcecca7aa92 on this server. Apache/2.2.15 (CentOS) Server at voice.agrilife-dallas.center Port 80”
No failures/blocks are being noted on the hardware firewall.
LetsEncrypt requires that port 80 and 443 be the ADMIN interface. There’s no way around that, sorry.
If you want to keep using LetsEncrypt, you’ll need to set 80 and 443 to be the admin port while you’re asking them for a certificate. You can put it back to UCP when you’re finished.
I don’t mean to dig up old posts, but I am having this exact problem myself! I found another post somewhere that suggested to update to the edge module for cert manager, but currently there is no edge module available - I an running then latest version.
On my PBX, I am running all default ports and have a self signed cert installed for now. On my firewall I have allowed access from the sources required for Lets Encrypt etc..
I have found the problem, but it is something that is out of my control as its a auto generated file that is causing the problems.
I ended up having to modify /etc/httpd/conf.d/schmoozecom.conf and comment out the following line:
RewriteRule (^\.|/\.) - [F]
This was preventing apache from serving hidden folders. And for the LetsEncrypt service to generate its certs, FreePBX generates two hidden folders to serve files from during the generation/update process:
.freepbx-known .well-known
Maybe these folders should be added to the exceptions list in this folder?
Try Sysadmin 13.0.71.2, which is currently in ‘Edge’ mode - you can download it manually by switching your machine to egde, or just run ‘fwconsole --edge ma upgrade sysadmin’, which will get the new Sysadmin package.
Then all you need to do is go into Port management and click ‘Save’, which will generate a fixed httpd.conf!
Sorry about that. We have a QA team, but occasionally there’s things we just don’t think about asking them to test. That was one of them. (But it’s on their list now! 8)
No problem. I won’t have to switch back to the “normal” track from the Edge track, right. That command just got the edge release for that one module, correct?
Hello Everyone, just like to add this problem still happening on version FreePBX 14.0.13.4. I was able to get it resolved by going to the following directory and creating /var/www/html/.well-known and /var/www/html/.freepbx-known and applying the right write permissions to the folder. I hope that helps.
