Error When Generating Let's Encrypt Cert with FreePBX

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: pbx.midwestlivestock.com

I ran this command: Generate Let's Encrypt Certificate from FreePBX console

It produced this output: Processing: pbx.midwestlivestock.com, Local IP: x.x.x.x, Public IP: x.x.x.x
Self test: trying http://pbx.midwestlivestock.com/.freepbx-known/65f8afe23256b4ef6822efa7fcb91170
Self test: received 65f8afe23256b4ef6822efa7fcb91170

lechecker: Pest_Json_Decode - Decoding error: Syntax error

My web server is (include version): FreePBX 17

The operating system my web server runs on is (include version): Debian ?

My hosting provider, if applicable, is: Self-hosted

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): FreePBX 17

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

while only thing about that error message is lechecker.php tried to decode something isn't in JSON, I can say that domain is not exposed to internet, which is required to LE validation to succeed.

I have it sitting between the ISP's router and both firewalls. I turn it off at night because it's completely wide open to the internet. It's back up now.

Your domain is not responding to HTTP requests on port 80

It is responding to HTTPS requests on port 443. That connect uses a self-signed cert from Unifi. Is that expected?

echo|openssl s_client -connect pbx.midwestlivestock.com:443

Certificate chain
 0 s:CN = unifi.local
   i:CN = unifi.local
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Dec 23 05:58:22 2024 GMT; NotAfter: Mar 28 05:58:22 2027 GMT

Can you explain what that self-test is checking. Because if you are using an HTTP Challenge the incoming URL to you from the Let's Encrypt server looks like:

http://pbx.midwestlivestock.com/.well-known/acme-challenge/(token)

No, it is not expected that pbx.midwestlivestock.com would be responding on port 443.
The Self test is what I see when I attempt to generate a Let's Encrypt Cert.:

And this is the response:
"Processing: pbx.midwestlivestock.com, Local IP: 127.0.0.1, Public IP: x.x.x.x
Self test: trying http://pbx.midwestlivestock.com/.freepbx-known/0aea881bb5d26b7b6f5799364631b858
Self test: received 0aea881bb5d26b7b6f5799364631b858
lechecker: Pest_Json_Decode - Decoding error: Syntax error"

How do I go about addressing those two issues?

I'd first resolve what that Unifi device is doing. If you don't have one then check that your public IP in the DNS is correct. Then make your that Unifi passes requests from port 80 to your FreePBX system.

It is possible that Unifi is the firewall system built in to FreePBX - I don't know for sure.

Your issues are really how to use FreePBX and not directly related to a Let's Encrypt problem. You are probably better off asking about these problems at their support forum. Or, find a good guide using google (maybe this one? https://www.youtube.com/watch?v=7PGKxSnvZrQ)

Not unless FreePBX has seen drastic changes in the last couple of years--though I hope it has, because its built-in LE cert function was very badly broken back then.

Thanks. Was that YT link I showed a fair explanation? You have more experience about FreePBX than I do.

It was a fair explanation. But I'm still in the same boat. Port 80 is forwarded to the FreePBX system.

How is that Unifi system involved?

The unifi system is the firewall.

Okay. The only problem I see is something wrong in FreePBX console.

The error message complains about something it created for its own purposes.

You should ask on their forum how to debug / fix this. Make sure you tell them about Unifi.

That does not appear to be the case--or at least, the FreePBX system isn't responding.