Why can't get Let's Encrypt certificate generation to work?

digiteltlc · June 9, 2021, 3:07pm

I get this error while generating let’s encrypt certificate :

Self test error: Pest_Curl_Exec - Failed connect to myname.ddns.net:80; Connection refused
Does DNS for myname.ddns.net resolve correctly? Local DNS result: 127.0.0.1, External DNS result: 93.66.241.165
The FreePBX Firewall is not enabled.
The LetsEncrypt servers only send challenge queries to port 80. Certificate requests will fail if public access via port 80 is not available.
Processing: myname.ddns.net, Local IP: 127.0.0.1, Public IP: 93.68.245.166
Self test: trying http://myname.ddns.net/.freepbx-known/34dc7ea212e11e1206b68671d9c4c4f8
Self test error: Pest_Curl_Exec - Failed connect to myname.ddns.net:80; Connection refused

pbx port 80 is assigned to let’s encrypt service in sysadmin
public ip port 80 is natted to pbx ip port 80

trying http://lan_pbxaddress or
http://lan_pbxaddress/.freepbx-known/34dc7ea212e11e1206b68671d9c4c4f8
from pc inside LAN , I get a ERR_CONNECTION_REFUSED

Any idea ?

adell4444 · June 9, 2021, 3:19pm

Normally this is the firewall blocking your connection. If the firewall is turned off, perhaps check iptables to make sure nothing is in there.

jerrm · June 9, 2021, 4:06pm

“The FreePBX Firewall is not enabled.”

The firewall module is not enabled. Do you have port 80 access enabled in your ruleset?

digiteltlc · June 9, 2021, 4:23pm

Yes Freepbx firewall is disabled

iptables :

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT

Normally I use port 80 for http GUI management
For let’s Encrypt purpose I set 8080 for GUI and 80 for Let’s Encrypt in system admin.
Doing so, the system refuses connections in port 80

sorvani · June 9, 2021, 4:26pm

If you are using a fully updated system, you do not need to do that.
Just keep your admin on port 80 and the LE process will deal with it.

Edit: Nevermind, you have the firewall disabled… so that means all the automatic stuff does not work right…

digiteltlc · June 9, 2021, 4:44pm

Right !
I have another Freepbx machine on the same LAN I hadn’t tried yet, with same settings (and right router port redirection) , LE certificate has been succesfully generated.

Wondering what is not working on the first machine…

jerrm · June 9, 2021, 6:43pm

Post output of:

stat /var/www/html/.freepbx-known/ /var/www/html/.well-known/
echo -e "this is only a test\n" >/var/www/html/.freepbx-known/test.txt
curl -v http://127.0.0.1/.freepbx-known/test.txt

digiteltlc · June 9, 2021, 6:57pm

stat /var/www/html/.freepbx-known/ /var/www/html/.well-known/ :

File: â€˜/var/www/html/.freepbx-known/â€™
Size: 6 Blocks: 0 IO Block: 4096 directory
Device: fd00h/64768d Inode: 336656 Links: 2
Access: (0775/drwxrwxr-x) Uid: ( 995/asterisk) Gid: ( 995/asterisk)
Access: 2021-06-09 16:58:30.417419704 +0200
Modify: 2021-06-09 17:01:59.429222325 +0200
Change: 2021-06-09 17:01:59.429222325 +0200
Birth: -
File: â€˜/var/www/html/.well-known/â€™
Size: 28 Blocks: 0 IO Block: 4096 directory
Device: fd00h/64768d Inode: 68494482 Links: 3
Access: (0775/drwxrwxr-x) Uid: ( 995/asterisk) Gid: ( 995/asterisk)
Access: 2021-06-09 16:58:30.417419704 +0200
Modify: 2021-05-25 11:49:34.454500783 +0200
Change: 2021-06-09 16:50:24.714496524 +0200
Birth: -

echo -e “this is only a test\n” >/var/www/html/.freepbx-known/test.txt
curl -v http://127.0.0.1/.freepbx-known/test.txt :

About to connect() to 127.0.0.1 port 80 (#0)

Trying 127.0.0.1…

Connected to 127.0.0.1 (127.0.0.1) port 80 (#0)

GET /.freepbx-known/test.txt HTTP/1.1
User-Agent: curl/7.29.0
Host: 127.0.0.1
Accept: /

< HTTP/1.1 200 OK
< Date: Wed, 09 Jun 2021 18:58:43 GMT
< Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.6.40
< Last-Modified: Wed, 09 Jun 2021 18:55:41 GMT
< ETag: “15-5c459d23dae42”
< Accept-Ranges: bytes
< Content-Length: 21
< Content-Type: text/plain; charset=UTF-8
<
this is only a test

Connection #0 to host 127.0.0.1 left intact

jerrm · June 9, 2021, 7:10pm

I’m stumped. On vacation this week. May PM next week if there is still an issue.

Folders look like they have proper permissions, but try an fwconsole chown.

digiteltlc · June 9, 2021, 7:20pm

Well… no words…
Back on first machine, try to generate LE certificate and… boom, certificate succesfully generated
I don’t really know what happened on previous attempts failing with refuse in port 80
Probably something messed up in sysadmin port changes…

mgrue · June 9, 2021, 7:50pm

Same here! Certificate generation failed with the same error on a brand new installation (it was pretty much the first thing I tried after the installation).
Now a few days later it just worked

digiteltlc · June 9, 2021, 7:50pm

Question :
the certificate your trying to issue is related to your pbx hostname , i.e. mypbx.mydomain.com
that has to be a FQDN resolvable by internet DNS
What if I can’t handle my domain, i.e. like noip etc. with no wildcard allowed (subdomains) on free ddns service ?
I have understood there is no more way to fool up LAN browsers with your own self-signed certificate.
Is there any workaround ?

digiteltlc · June 9, 2021, 7:51pm

Nice !

david55 · June 9, 2021, 8:10pm

I haven’t had cause to do it recently, but I can think of no sensible reason why a browser, on a mainstream OS, wouldn’t accept a user provided root CA certificate (which by definition is self signed), which was then used to sign the individual device certificates.

I’d expect large, security conscious organisations to actually disable most of the standard root and intermediate ones, and in particular Lets Encrypt and CACert, on the basis that they didn’t adequately authenticate clients, and might be controlled by a hostile country, but then add a corporate root certificate.

jerrm · June 9, 2021, 8:37pm

Nothing prevents issuing a LetsEncrypt cert for a dynamic DNS address as long as there is something to serve the http challenge token at the ddns endpoint.

It’s even possible to use dns-01 auth with some ddns providers, with no http server requirement at all.

dicko · June 9, 2021, 8:52pm

Perhaps one could better say that although the acme protocol can do all that, the acme client in FreePBX as yet ‘can’t’.

FWIW, Namecheap has a DDNS handler and is compliant mostly with acme.sh. ( < $10 per annum with some TLD’s)

(Don’t use wild card certs if you want SIP over TLS to work.)

I suggest you just wait for @jerrm to complete his work and have it accepted by Sangoma.

jerrm · June 10, 2021, 1:08am

It’s mostly done, but without getting into the drama, I’m suddenly faced with selling two homes and buying another in this crazy market. Any free time I had to polish things up is gone for the short term.

Should get back to it in a couple of weeks after moving and getting the old house listed.

Maybe by the next lounge.

dicko · June 10, 2021, 1:32am

Godspeed !!

digiteltlc · June 10, 2021, 8:23am

So, that’s what I done (without experience) :

From freepbx cli I’ve generated my own certificate :

openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes
-keyout mypbx.key -out mypbx.crt -extensions san -config
<(echo “[req]”;
echo distinguished_name=req;
echo “[san]”;
echo subjectAltName=DNS:mypbx.local,IP:10.0.0.2
)
-subj “/CN=mypbx.local”

Then I’ve imported .crt and .key in certificate manager and set to default
I used it for https in sysadmin

The same .crt was imported as CA into Chrome browser.

mypbx.local resolves into local pbx ip address by DNS server static entry

Now I can access https://mypbx.local and https://mypbx.local/ucp in secure mode without warnings (with WebRTC phone, I’m doing all this for, working ok)

Is this a reliable workaround ?

system · June 17, 2021, 8:23am

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.