FreePBX Let's Encrypt Invalid Error


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: srs.leonescomp.com

I ran this command: Generate Lets Encrypt Certificate

It produced this output:

There was an error updating the certificate: Verification ended with error: {“identifier”:{“type”:“dns”,“value”:“srs.leonescomp.com”},“status”:“invalid”,“expires”:“2018-09-05T17:45:57Z”,“challenges”:[{“type”:“dns-01”,“status”:“invalid”,“uri”:"https://acme-v01.api.letsencrypt.org/acme/challenge/ocRfBteL4qS5Rh0NvJV-Hz1z-4HNhyeyhSa1bC8GzwE/6881269121",“token”:“mzDixkNA6P7St-Zd0nvLx4jcEJRyi0Rqt2PQ7oW8R_A”},{“type”:“tls-alpn-01”,“status”:“invalid”,“uri”:“https://acme-v01.api.letsencrypt.org/acme/challenge/ocRfBteL4qS5Rh0NvJV-Hz1z-4HNhyeyhSa1bC8GzwE/6881269123”,“token”:“k7b1l1KMnB3Zn3v_Nl7-goSk9lIvt7QHWDQFowVqTeE”},{“type”:“http-01”,“status”:“invalid”,“error”:{“type”:“urn:acme:error:unauthorized”,“detail”:"Invalid response from http://srs.leonescomp.com/.well-known/acme-challenge/P-wGHD93HtSb70QsSNIGRyQf4UCgUVTAwpre60oFg6E: "\n\n

My web server is (include version): Apache/2.4.6 (Sangoma) OpenSSL/1.0.2k-fips PHP/5.6.36

The operating system my web server runs on is (include version):FreePBX 14.0.3.13 (CentOS 7.5-1804)

My hosting provider, if applicable, is: Vultr

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no, FreePBX 14.0.3.13


#2

Hi @leonescomp

I have a timeout. Is there a firewall? Or blocks your provider port 80?


#3

There is the standard freepbx responsive firewall, no firewall at the VPS level with the exception of:

What Ports Are Blocked?

Published on: Mon, Sep 22, 2014 at 11:25 am EST

FAQ

We block several ports that are commonly abused for DDOS attacks:

  • TCP & UDP port 17
  • TCP & UDP port 19
  • TCP & UDP port 1900
  • UDP port 53413
  • UDP port 11211

These blocks are permanent, and cannot be removed.

The following ports may be blocked, depending on your account:

  • TCP port 25 (SMTP)
  • TCP & UDP port 137
  • TCP & UDP port 138
  • TCP & UDP port 139
  • TCP & UDP port 445

You may request these blocks be removed by opening a support ticket

However even turning off the freepbx firewall completely returns the same error. I can turn it off if you would like to try again.


#4

Do you have a normal website?

http://srs.leonescomp.com/ doesn’t work. Should it work?

Which command did you used? Certbot? Or is this Generate Lets Encrypt Certificate a solution of your hoster?


#5

I’ve disabled the firewall temporarily, you should be able to see the GUI now.

The Generate Lets Encrypt Certificate is part of FreePBX itself, it basically automates the generation of the cert after adding a few details such as: Host Name, Owners Email, Country, and State.

After adding the details and clicking generate it throws that error in my original post.

I have run this command with no issues via another provider freepbxhosting.com (Cyberlynk).

I have already opened a support ticket with Vultr about this, without a resolution thus far.

I have also “cast many nets” by opening a ticket with them and posting on here and within the freepbx forums to see where i can get the answer fastest.

I appreciate your help.


#6

Yes, I see it. But this

is the main problem. You should use such an integrated solution, this is always better then installing other tools. But then the help in this forum is limited. If your tool has a bug, it must be fixed.

Is it possible to check, if there are files under /.well-known/acme-challenge/

The error message ends with “\n\n”. Is that a copy&paste - problem?

You have root access. Is there a letsencrypt.log?

/var/log/letsencrypt/letsencrypt.log


#7

Is it possible to check, if there are files under /.well-known/acme-challenge/
ive looked through multiple directories and cannot find this.

The error message ends with “\n\n”. Is that a copy&paste - problem?
No that is actually in the error, which is weird to say the least

You have root access. Is there a letsencrypt.log?
/var/log/letsencrypt/letsencrypt.log
I dont see anything here using nano, its completely blank, which in my experience usually means it doesnt even exists.

I am going to see if it is the hosting providers issue with thier supplied ISO, i am going to image one with a fresh copy of the offical distro of FreePBX and see what happens,

I just used cerbot on an instance of the Ubiquity Unifi controller and it worked flawlessly


#8

Issue resolved, ipv6 issue with domain hosting. Thanks for your help, i realized this after running the certbot manually and seeing “multiple choices” in the error readout


#9

By the way, nano should be able to distinguish between an empty file and a nonexistent file by displaying either [ Read 0 lines ] or [ New File ] as the status at the bottom of the screen. (You could also try cat or less, which should clearly distinguish between empty and nonexistent files.)

I’m glad you solved the problem!


#10

I’m trying to deal with this myself, and come up with a way to make it do DNS validation. Did the FreePBX folks really write their own tool for this, rather than use one of the (many, and very good) existing clients? Ugh. That’s going to make it pretty much impossible for me to get a cert–as they recommend, my installation is behind a separate firewall, as there’s no reason it needs to be directly accessible to the Internet at all (and their recommendation of “open your firewall to outbound[1|2].letsencrypt.org” isn’t even remotely a good practice).


#11

Some digging around https://github.com/FreePBX/certman answers this–no, they didn’t write their own ACME client; they used Lescript.php. Unfortunately, Lescript.php appears to be abandonware (no commits since last November), and is pretty limited in features. Specifically for me, it doesn’t do DNS validation at all; it also doesn’t support ACME v2. I wonder how hard it would be to drop in a different PHP ACME client. Edit: LEClient might be a candidate…


#12

By the way, nano should be able to distinguish between an empty file and a nonexistent file by displaying either [ Read 0 lines ] or [ New File ] as the status at the bottom of the screen. (You could also try cat or less , which should clearly distinguish between empty and nonexistent files.)

I did not know that this was even possible, im not terribly great with linux, i know enough to get me by with whatever i may be doing at the moment, but thats it. Thanks for this i, always willing to learn something new.

I’m glad you solved the problem!

you and me both :smiley:


#13

I’m trying to deal with this myself, and come up with a way to make it do DNS validation. Did the FreePBX folks really write their own tool for this, rather than use one of the (many, and very good) existing clients? Ugh. That’s going to make it pretty much impossible for me to get a cert–as they recommend, my installation is behind a separate firewall, as there’s no reason it needs to be directly accessible to the Internet at all (and their recommendation of “open your firewall to outbound[1|2].letsencrypt.org” isn’t even remotely a good practice).

All 6 or so instances of FreePBX i am currently running are hosting VPS servers, therefore i use the builtin responsive firewall. Yes SIP is naturally going to get attacked, however i have noticed that the builtin firewall/fail2ban do a pretty great job, ads most of my customer are not interested in paying monthly for a static IP, the responisve firewall does a nice job blocking bad IPs as they hit the system,

What i would LOVE to see, is a plugin that auto adds all blacklisted IPs from one of the well known sites that compile a list of know bad networks, then you would have to wait for the ip to hit your system as it would already be in iptables, but to manually confige iptables would not be fun.

Some digging around https://github.com/FreePBX/certman answers this–no, they didn’t write their own ACME client; they used Lescript.php. Unfortunately, Lescript.php appears to be abandonware (no commits since last November), and is pretty limited in features. Specifically for me, it doesn’t do DNS validation at all; it also doesn’t support ACME v2. I wonder how hard it would be to drop in a different PHP ACME client. Edit: LEClientmight be a candidate…

I would like to see this possibly come up in one of the future versions of freepbx, it sure would be much easier.


#14

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.