LE WebServer ssl fail

Y

yaboc

Member
Nov 23, 2017
80
5
8
35
Hi,

I have 2 fspbx servers (1.9.0) in HA previously behind pangolin reverse proxy but to implement the new ssl for freeswitch i decided to move both servers on their own IP to make things easier. both servers have 80 and 443 open.

im able to access pbx1/2.domain.com fspbx web gui on port 80

I'm trying to run webserver ssl script but getting an error message where it can't find the challenge file/token on the server (getting 404 when i access the url)

there's no token in /var/www/fspbx/public/.well-known/acme-challenge

when i create test.txt file in /var/www/fspbx/public/.well-known/acme-challenge
and try to access with http://pbx1.domain.com/.well-known/acme-challenge/test.txt i'm getting 404 file not found

1782629956528.png

i checked dehydrated config

Code: 
cat /etc/dehydrated/config
BASEDIR=/etc/dehydrated
WELLKNOWN=/var/www/fspbx/public/.well-known/acme-challenge

Code: 
@pbx1:/var/www/fspbx# sudo php artisan app:install-lets-encrypt-certificate

 Enter the domain for SSL (e.g., us.domain.com):
 > pbx1.domain.com

Installing Dehydrated...

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

Configuring Dehydrated...
Registering account and generating SSL certificate...
ERROR: Challenge is invalid! (returned: invalid) (result: ["type"]      "http-01"
["url"] "https://acme-v02.api.letsencrypt.org/acme/chall/3480332836/72956/MLs"
["status"]      "invalid"
["validated"]   "2026-06-28T05:50:21Z"
["error","type"]        "urn:ietf:params:acme:error:unauthorized"
["error","detail"]      "xx.xx.xx.xx: Invalid response from http://pbx1.domain.com/.well-known/acme-challenge/lEfFvviXOMiBvXdmvxF6fvfjpP-kSWDGNbvjDo: 404"
["error","status"]      403
["error"]       {"type":"urn:ietf:params:acme:error:unauthorized","detail":"xx.xx.xx.xx: Invalid response from http://pbx1.domain.com/.well-known/acme-challenge/lEfFvviXOMiBvXdmvxF6fvfjpP-kSWDGNbvjDo: 404","status":403}
["token"]       "lEfFvviXOMiBvXdmvxF6fvfjpP-kSWDGNbvjDo"
["validationRecord",0,"url"]    "http://pbx1.domain.com/.well-known/acme-challenge/lEfFvviXOMiBvXdmvxF6fvfjpP-kSWDGNbvjDo"
["validationRecord",0,"hostname"]       "pbx1.domain.com"
["validationRecord",0,"port"]   "80"
["validationRecord",0,"addressesResolved",0]    "xx.xx.xx.xx"
["validationRecord",0,"addressesResolved"]      ["xx.xx.xx.xx"]
["validationRecord",0,"addressUsed"]    "xx.xx.xx.xx"
["validationRecord",0]  {"url":"http://pbx1.domain.com/.well-known/acme-challenge/lEfFvviXOMiBvXdmvxF6fvfjpP-kSWDGNbvjDo","hostname":"pbx1.domain.com","port":"80","addressesResolved":["xx.xx.xx.xx"],"addressUsed":"xx.xx.xx.xx"}
["validationRecord"]    [{"url":"http://pbx1.domain.com/.well-known/acme-challenge/lEfFvviXOMiBvXdmvxF6fvfjpP-kSWDGNbvjDo","hostname":"pbx1.domain.com","port":"80","addressesResolved":["xx.xx.xx.xx"],"addressUsed":"xx.xx.xx.xx"}])
Error: Certificate generation failed!

Also can i use *.domain.com that com for LE SSL script if i have 2 servers pbx1/2.domain.com but accessed with pbx.domain.com ? once i get the le script to work? is there a way to use dns challenge using the fspbx sudo php artisan app:install-lets-encrypt-certificate script?

thanks in advance!
 
Last edited:
The new Freeswitch TLS script took over this one and broke it. I just pushed a fix for it and tested it on one of my servers. Download updates and retry.

This script doesn't support a wildcard certificate. If you need a wildcard cert, your DNS service must support API. You will need to ask an AI to write a script for you or search this forum for suggestions. Wildcard certificate validation is not as simple as a single domain.
 
  • Like
Reactions: yaboc
pbxgeek said:
The new Freeswitch TLS script took over this one and broke it. I just pushed a fix for it and tested it on one of my servers. Download updates and retry.

This script doesn't support a wildcard certificate. If you need a wildcard cert, your DNS service must support API. You will need to ask an AI to write a script for you or search this forum for suggestions. Wildcard certificate validation is not as simple as a single domain.
Click to expand...
@pbxgeek

so i pulled and upgraded to the latest 1.9.3
but i'm still getting error and the acme challenge token is not found on the server

Code: 
Command failed: dehydrated -c. ERROR: Challenge is invalid! (returned: invalid) (result: ["type"]     "http-01"
["url"] "https://acme-v02.api.letsencrypt.org/acme/chall/3486/7296/Gnjw"
["status"]      "invalid"
["validated"]   "2026-06-28T16:36:39Z"
["error","type"]        "urn:ietf:params:acme:error:connection"
["error","detail"]      "During secondary validation: xx.xx.xx.xx: Fetching http://pbx1.domain.com/.well-known/acme-challenge/puQF2-Cz7NbCKlCb2otOEHZb9eTY7wvhUCnpIKvimxY: Timeout during connect (likely firewall problem)"
["error","status"]      400
["error"]       {"type":"urn:ietf:params:acme:error:connection","detail":"During secondary validation: xx.xx.xx.xx: Fetching http://pbx1.domain.com/.well-known/acme-challenge/puQF2-Cz7NbCKlCb2otOEHZb9eTY7wvhUCnpIKvimxY: Timeout during connect (likely firewall problem)","status":400}
["token"]       "puQF2-Cz7NbCKlCb2otOEHZb9eTY7Y"
["validationRecord",0,"url"]    "http://pbx1.domain.com/.well-known/acme-challenge/puQF2-Cz7NbCKlCb2otOEHZb9eTY7Y"
["validationRecord",0,"hostname"]       "pbx1.domain.com"
["validationRecord",0,"port"]   "80"
["validationRecord",0,"addressesResolved",0]    "xx.xx.xx.xx"
["validationRecord",0,"addressesResolved"]      ["xx.xx.xx.xx"]
["validationRecord",0,"addressUsed"]    "xx.xx.xx.xx"
["validationRecord",0]  {"url":"http://pbx1.domain.com/.well-known/acme-challenge/puQF2-Cz7NbCKlCb2otOEHZb9eTY7Y","hostname":"pbx1.domain.com","port":"80","addressesResolved":["xx.xx.xx.xx"],"addressUsed":"xx.xx.xx.xx"}
["validationRecord"]    [{"url":"http://pbx1.domain.com/.well-known/acme-challenge/puQF2-Cz7NbCKlCb2otOEHZb9eTY7Y","hostname":"pbx1.domain.com","port":"80","addressesResolved":["xx.xx.xx.xx"],"addressUsed":"xx.xx.xx.xx"}])

but i can now see manually created test.txt
when i create test.txt file in /var/www/fspbx/public/.well-known/acme-challenge
and try to access with http://pbx1.domain.com/.well-known/acme-challenge/test.txt it's there
 
Are you able to install the Freeswitch certificate? The directory is the same. I understand your problem, but it’s unusual. If you can read one file from that directory, you should be able to read others as well.

At this point, it’s challenging to determine the issue without examining your nginx configuration and running live logs. You might need to contact support for assistance.
 
pbxgeek said:
Are you able to install the Freeswitch certificate? The directory is the same. I understand your problem, but it’s unusual. If you can read one file from that directory, you should be able to read others as well.

At this point, it’s challenging to determine the issue without examining your nginx configuration and running live logs. You might need to contact support for assistance.
Click to expand...
thanks @pbxgeek i'm spinning up new cluster with two fresh 1.9.3 installs on debian 13 lxc with the same resources as original lxcs (2core,4gb) but i'm getting this during the install. ill run it again and report back.

EDIT: i'm getting it on every brand new install.

1782673755062.png
 
Last edited:
pbxgeek said:
run the as is says to retrieve the real error

journalctl -xeu freeswitch.service
Click to expand...
Code: 
/home#  journalctl -xeu freeswitch.service
--
-- The error number returned by this process is 1.
Jun 28 19:34:00 pbxa systemd[1]: freeswitch.service: Control process exited, code=exited, status=214/SETS>
-- Subject: Unit process exited
-- Defined-By: systemd
-- Support: https://www.debian.org/support
--
-- An ExecStartPre= process belonging to unit freeswitch.service has exited.
--
-- The process' exit code is 'exited' and its exit status is 214.
Jun 28 19:34:00 pbxa systemd[1]: freeswitch.service: Failed with result 'exit-code'.
-- Subject: Unit failed
-- Defined-By: systemd
-- Support: https://www.debian.org/support
--
-- The unit freeswitch.service has entered the 'failed' state with result 'exit-code'.
Jun 28 19:34:00 pbxa systemd[1]: Failed to start freeswitch.service - freeswitch.
-- Subject: A start job for unit freeswitch.service has failed
-- Defined-By: systemd
-- Support: https://www.debian.org/support
--
-- A start job for unit freeswitch.service has finished with a failure.
--
-- The job identifier is 19236 and the job result is failed.
Jun 28 19:34:00 pbxa systemd[1]: freeswitch.service: Scheduled restart job, restart counter is at 5.
-- Subject: Automatic restarting of a unit has been scheduled
-- Defined-By: systemd
-- Support: https://www.debian.org/support
--
-- Automatic restarting of the unit freeswitch.service has been scheduled, as the result for
-- the configured Restart= setting for the unit.
Jun 28 19:34:00 pbxa systemd[1]: freeswitch.service: Start request repeated too quickly.
Jun 28 19:34:00 pbxa systemd[1]: freeswitch.service: Failed with result 'exit-code'.
-- Subject: Unit failed
-- Defined-By: systemd
-- Support: https://www.debian.org/support
--
-- The unit freeswitch.service has entered the 'failed' state with result 'exit-code'.
Jun 28 19:34:00 pbxa systemd[1]: Failed to start freeswitch.service - freeswitch.
-- Subject: A start job for unit freeswitch.service has failed
-- Defined-By: systemd
-- Support: https://www.debian.org/support
--
-- A start job for unit freeswitch.service has finished with a failure.
--
-- The job identifier is 19313 and the job result is failed.
 
You must log in or register to reply here.
Top Bottom