SOLVED LE WebServer ssl fail

yaboc · 2026-06-28T07:06:03+0100

Hi,

I have 2 fspbx servers (1.9.0) in HA previously behind pangolin reverse proxy but to implement the new ssl for freeswitch i decided to move both servers on their own IP to make things easier. both servers have 80 and 443 open.

im able to access pbx1/2.domain.com fspbx web gui on port 80

I'm trying to run webserver ssl script but getting an error message where it can't find the challenge file/token on the server (getting 404 when i access the url)

there's no token in /var/www/fspbx/public/.well-known/acme-challenge

when i create test.txt file in /var/www/fspbx/public/.well-known/acme-challenge
and try to access with http://pbx1.domain.com/.well-known/acme-challenge/test.txt i'm getting 404 file not found

i checked dehydrated config

Code:

cat /etc/dehydrated/config
BASEDIR=/etc/dehydrated
WELLKNOWN=/var/www/fspbx/public/.well-known/acme-challenge

Code:

@pbx1:/var/www/fspbx# sudo php artisan app:install-lets-encrypt-certificate

 Enter the domain for SSL (e.g., us.domain.com):
 > pbx1.domain.com

Installing Dehydrated...

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

Configuring Dehydrated...
Registering account and generating SSL certificate...
ERROR: Challenge is invalid! (returned: invalid) (result: ["type"]      "http-01"
["url"] "https://acme-v02.api.letsencrypt.org/acme/chall/3480332836/72956/MLs"
["status"]      "invalid"
["validated"]   "2026-06-28T05:50:21Z"
["error","type"]        "urn:ietf:params:acme:error:unauthorized"
["error","detail"]      "xx.xx.xx.xx: Invalid response from http://pbx1.domain.com/.well-known/acme-challenge/lEfFvviXOMiBvXdmvxF6fvfjpP-kSWDGNbvjDo: 404"
["error","status"]      403
["error"]       {"type":"urn:ietf:params:acme:error:unauthorized","detail":"xx.xx.xx.xx: Invalid response from http://pbx1.domain.com/.well-known/acme-challenge/lEfFvviXOMiBvXdmvxF6fvfjpP-kSWDGNbvjDo: 404","status":403}
["token"]       "lEfFvviXOMiBvXdmvxF6fvfjpP-kSWDGNbvjDo"
["validationRecord",0,"url"]    "http://pbx1.domain.com/.well-known/acme-challenge/lEfFvviXOMiBvXdmvxF6fvfjpP-kSWDGNbvjDo"
["validationRecord",0,"hostname"]       "pbx1.domain.com"
["validationRecord",0,"port"]   "80"
["validationRecord",0,"addressesResolved",0]    "xx.xx.xx.xx"
["validationRecord",0,"addressesResolved"]      ["xx.xx.xx.xx"]
["validationRecord",0,"addressUsed"]    "xx.xx.xx.xx"
["validationRecord",0]  {"url":"http://pbx1.domain.com/.well-known/acme-challenge/lEfFvviXOMiBvXdmvxF6fvfjpP-kSWDGNbvjDo","hostname":"pbx1.domain.com","port":"80","addressesResolved":["xx.xx.xx.xx"],"addressUsed":"xx.xx.xx.xx"}
["validationRecord"]    [{"url":"http://pbx1.domain.com/.well-known/acme-challenge/lEfFvviXOMiBvXdmvxF6fvfjpP-kSWDGNbvjDo","hostname":"pbx1.domain.com","port":"80","addressesResolved":["xx.xx.xx.xx"],"addressUsed":"xx.xx.xx.xx"}])
Error: Certificate generation failed!

Also can i use *.domain.com that com for LE SSL script if i have 2 servers pbx1/2.domain.com but accessed with pbx.domain.com ? once i get the le script to work? is there a way to use dns challenge using the fspbx sudo php artisan app:install-lets-encrypt-certificate script?

thanks in advance!

pbxgeek · 2026-06-28T08:07:40+0100

The new Freeswitch TLS script took over this one and broke it. I just pushed a fix for it and tested it on one of my servers. Download updates and retry.

This script doesn't support a wildcard certificate. If you need a wildcard cert, your DNS service must support API. You will need to ask an AI to write a script for you or search this forum for suggestions. Wildcard certificate validation is not as simple as a single domain.

yaboc · 2026-06-28T17:46:54+0100

pbxgeek said:
The new Freeswitch TLS script took over this one and broke it. I just pushed a fix for it and tested it on one of my servers. Download updates and retry.

This script doesn't support a wildcard certificate. If you need a wildcard cert, your DNS service must support API. You will need to ask an AI to write a script for you or search this forum for suggestions. Wildcard certificate validation is not as simple as a single domain.

@pbxgeek

so i pulled and upgraded to the latest 1.9.3
but i'm still getting error and the acme challenge token is not found on the server

Code:

Command failed: dehydrated -c. ERROR: Challenge is invalid! (returned: invalid) (result: ["type"]     "http-01"
["url"] "https://acme-v02.api.letsencrypt.org/acme/chall/3486/7296/Gnjw"
["status"]      "invalid"
["validated"]   "2026-06-28T16:36:39Z"
["error","type"]        "urn:ietf:params:acme:error:connection"
["error","detail"]      "During secondary validation: xx.xx.xx.xx: Fetching http://pbx1.domain.com/.well-known/acme-challenge/puQF2-Cz7NbCKlCb2otOEHZb9eTY7wvhUCnpIKvimxY: Timeout during connect (likely firewall problem)"
["error","status"]      400
["error"]       {"type":"urn:ietf:params:acme:error:connection","detail":"During secondary validation: xx.xx.xx.xx: Fetching http://pbx1.domain.com/.well-known/acme-challenge/puQF2-Cz7NbCKlCb2otOEHZb9eTY7wvhUCnpIKvimxY: Timeout during connect (likely firewall problem)","status":400}
["token"]       "puQF2-Cz7NbCKlCb2otOEHZb9eTY7Y"
["validationRecord",0,"url"]    "http://pbx1.domain.com/.well-known/acme-challenge/puQF2-Cz7NbCKlCb2otOEHZb9eTY7Y"
["validationRecord",0,"hostname"]       "pbx1.domain.com"
["validationRecord",0,"port"]   "80"
["validationRecord",0,"addressesResolved",0]    "xx.xx.xx.xx"
["validationRecord",0,"addressesResolved"]      ["xx.xx.xx.xx"]
["validationRecord",0,"addressUsed"]    "xx.xx.xx.xx"
["validationRecord",0]  {"url":"http://pbx1.domain.com/.well-known/acme-challenge/puQF2-Cz7NbCKlCb2otOEHZb9eTY7Y","hostname":"pbx1.domain.com","port":"80","addressesResolved":["xx.xx.xx.xx"],"addressUsed":"xx.xx.xx.xx"}
["validationRecord"]    [{"url":"http://pbx1.domain.com/.well-known/acme-challenge/puQF2-Cz7NbCKlCb2otOEHZb9eTY7Y","hostname":"pbx1.domain.com","port":"80","addressesResolved":["xx.xx.xx.xx"],"addressUsed":"xx.xx.xx.xx"}])

but i can now see manually created test.txt
when i create test.txt file in /var/www/fspbx/public/.well-known/acme-challenge
and try to access with http://pbx1.domain.com/.well-known/acme-challenge/test.txt it's there

pbxgeek · 2026-06-28T19:11:11+0100

Are you able to install the Freeswitch certificate? The directory is the same. I understand your problem, but it’s unusual. If you can read one file from that directory, you should be able to read others as well.

At this point, it’s challenging to determine the issue without examining your nginx configuration and running live logs. You might need to contact support for assistance.

yaboc · 2026-06-28T20:09:57+0100

pbxgeek said:
Are you able to install the Freeswitch certificate? The directory is the same. I understand your problem, but it’s unusual. If you can read one file from that directory, you should be able to read others as well.

At this point, it’s challenging to determine the issue without examining your nginx configuration and running live logs. You might need to contact support for assistance.

thanks @pbxgeek i'm spinning up new cluster with two fresh 1.9.3 installs on debian 13 lxc with the same resources as original lxcs (2core,4gb) but i'm getting this during the install. ill run it again and report back.

EDIT: i'm getting it on every brand new install.

pbxgeek · 2026-06-28T21:03:36+0100

run the as is says to retrieve the real error

journalctl -xeu freeswitch.service

yaboc · 2026-06-28T21:16:14+0100

pbxgeek said:
run the as is says to retrieve the real error

journalctl -xeu freeswitch.service

Code:

/home#  journalctl -xeu freeswitch.service
--
-- The error number returned by this process is 1.
Jun 28 19:34:00 pbxa systemd[1]: freeswitch.service: Control process exited, code=exited, status=214/SETS>
-- Subject: Unit process exited
-- Defined-By: systemd
-- Support: https://www.debian.org/support
--
-- An ExecStartPre= process belonging to unit freeswitch.service has exited.
--
-- The process' exit code is 'exited' and its exit status is 214.
Jun 28 19:34:00 pbxa systemd[1]: freeswitch.service: Failed with result 'exit-code'.
-- Subject: Unit failed
-- Defined-By: systemd
-- Support: https://www.debian.org/support
--
-- The unit freeswitch.service has entered the 'failed' state with result 'exit-code'.
Jun 28 19:34:00 pbxa systemd[1]: Failed to start freeswitch.service - freeswitch.
-- Subject: A start job for unit freeswitch.service has failed
-- Defined-By: systemd
-- Support: https://www.debian.org/support
--
-- A start job for unit freeswitch.service has finished with a failure.
--
-- The job identifier is 19236 and the job result is failed.
Jun 28 19:34:00 pbxa systemd[1]: freeswitch.service: Scheduled restart job, restart counter is at 5.
-- Subject: Automatic restarting of a unit has been scheduled
-- Defined-By: systemd
-- Support: https://www.debian.org/support
--
-- Automatic restarting of the unit freeswitch.service has been scheduled, as the result for
-- the configured Restart= setting for the unit.
Jun 28 19:34:00 pbxa systemd[1]: freeswitch.service: Start request repeated too quickly.
Jun 28 19:34:00 pbxa systemd[1]: freeswitch.service: Failed with result 'exit-code'.
-- Subject: Unit failed
-- Defined-By: systemd
-- Support: https://www.debian.org/support
--
-- The unit freeswitch.service has entered the 'failed' state with result 'exit-code'.
Jun 28 19:34:00 pbxa systemd[1]: Failed to start freeswitch.service - freeswitch.
-- Subject: A start job for unit freeswitch.service has failed
-- Defined-By: systemd
-- Support: https://www.debian.org/support
--
-- A start job for unit freeswitch.service has finished with a failure.
--
-- The job identifier is 19313 and the job result is failed.

pbxgeek · 2026-06-29T00:24:42+0100

The real startup error is here:

status=214/SETSCHEDULER

That means systemd is trying to start FreeSWITCH with a CPU scheduling policy that the environment does not allow. This is happening on Debian 13 LXC containers, and the journal shows FreeSWITCH failing before it actually starts: an ExecStartPre process exits with 214/SETSCHEDULER, then systemd marks freeswitch.service failed.

So the likely cause is:

FreeSWITCH’s systemd unit is configured to use realtime/priority scheduling, but the LXC container does not have permission to set that scheduler.

That is common in unprivileged LXC containers. A similar FreeSWITCH/LXC failure shows Failed to set up CPU scheduling: Operation not permitted and the same status=214/SETSCHEDULER.

I just installed FS PBX on Linode Debian 13 and didn't have any issues.

This can be fixed, and I can push the fix for this in the next few days, but so you know, this is only ok for small deployments.
For high call volume or production systems, a full VM or bare-metal server is recommended.

ja133 · 2026-06-29T01:33:55+0100

This is what I have for proxmox, though I have not yet upgraded to 1.11.1, but I have been using Debian 13 since December

/etc/pve/qemu-server/<vmid>.conf

boot: order=scsi0;net0
cores: 16
cpu: x86-64-v2-AES
memory: 131072
meta: creation-qemu=10.0.2,ctime=1759763031
name: pbx02
net0: virtio=xxxxxxx,bridge=vmbr0
numa: 1
onboot: 1
ostype: l26
scsi0: local-lvm:vm-100-disk-0,iothread=1,size=400G
scsihw: virtio-scsi-single
smbios1: uuid=xxxxxx
sockets: 1
vmgenid: xxxxxxx

NOTE: NUMA Only Makes Sense When VM Has > 8–12 Cores

You may also want to try enabling nesting

Also I’d like to edit my above statement. My production server is Debian 13 with Freeswitch 1.10.12 but I have two dev servers with proxmox both upgraded to the latest version of Freeswitch and FS PBX not facing the issue you are experiencing. So I’m not sure what settings you have for that container

Also, what version of proxmox are you on? i believe i am on 8.0.1

yaboc · 2026-06-29T04:25:20+0100

thank you @pbxgeek and @ja133 i missed nesting option :/ now it works! @ja133 im on 9.2.3 using lxc container. any reason why you went with vm vs lxc?

i'm still getting 404 using sudo php artisan app:install-lets-encrypt-certificate
challenge file is not getting created, manual test.txt file in /var/www/fspbx/public/.well-known/acme-challenge is accessible. this is on a brand new 1.9.3 install

Code:

Command failed: dehydrated -c. ERROR: Challenge is invalid! (returned: invalid) (result: ["type"]     "http-01"
["url"] "https://acme-v02.api.letsencrypt.org/acme/chall/348313712456/4w"
["status"]      "invalid"
["validated"]   "2026-06-29T03:53:38Z"
["error","type"]        "urn:ietf:params:acme:error:connection"
["error","detail"]      "During secondary validation: xx.xx.xx.xx: Fetching http://pbx1.domain.com/.well-known/acme-challenge/pyUFp_w1Oqr4Xcm4Sp60: Timeout during connect (likely firewall problem)"
["error","status"]      400
["error"]       {"type":"urn:ietf:params:acme:error:connection","detail":"During secondary validation: xx.xx.xx.xx: Fetching http://pbx1.domain.com/.well-known/acme-challenge/pyUFp_w1Oqr4Xcm4Sp60: Timeout during connect (likely firewall problem)","status":400}
["token"]       "pyUFp_w1Oqr4Xcm4Sp60"
["validationRecord",0,"url"]    "http://pbx1.domain.com/.well-known/acme-challenge/pyUFp_w1Oqr4Xcm4Sp60"
["validationRecord",0,"hostname"]       "pbx1.domain.com"
["validationRecord",0,"port"]   "80"
["validationRecord",0,"addressesResolved",0]    "xx.xx.xx.xx"
["validationRecord",0,"addressesResolved"]      ["xx.xx.xx.xx"]
["validationRecord",0,"addressUsed"]    "xx.xx.xx.xx"
["validationRecord",0]  {"url":"http://pbx1.domain.com/.well-known/acme-challenge/pyUFp_w1Oqr4Xcm4Sp60","hostname":"pbx1.domain.com","port":"80","addressesResolved":["xx.xx.xx.xx"],"addressUsed":"xx.xx.xx.xx"}
["validationRecord"]    [{"url":"http://pbx1.domain.com/.well-known/acme-challenge/pyUFp_w1Oqr4Xcm4Sp60","hostname":"pbx1.domain.com","port":"80","addressesResolved":["xx.xx.xx.xx"],"addressUsed":"xx.xx.xx.xx"}])

ja133 · 2026-06-29T15:12:03+0100

You need to open port 80 to all countries temporarily while the script runs. It looks like letsencrypt cant reach you on port 80

yaboc · 2026-06-29T15:48:40+0100

ja133 said:
You need to open port 80 to all countries temporarily while the script runs. It looks like letsencrypt cant reach you on port 80

ahh i did disable geoip blocking on the dnat rule for fspbx but still had them on my firewall table which precedes it (opnsense).
thanks @ja133 , script worked on both servers! is there a list of LE servers to allow them through in strict firewall environments ?

ja133 · 2026-06-29T15:55:01+0100

Great question. You would have to check with LE directly.

pbxgeek · 2026-06-29T16:02:24+0100

Since this is no longer an FS PBX concern and was more of your proxmox setup and geoip blocking I will not be making any changes to the codebase. The way you have it right now is better long term. You should document your steps so you don’t have this issue again when you roll out a new box.

yaboc · 2026-06-29T16:12:38+0100

pbxgeek said:
Since this is no longer an FS PBX concern and was more of your proxmox setup and geoip blocking I will not be making any changes to the codebase. The way you have it right now is better long term. You should document your steps so you don’t have this issue again when you roll out a new box.

agreed and thanks for your help @pbxgeek.

Search

Search

SOLVED LE WebServer ssl fail

yaboc

Member

pbxgeek

Well-Known Member

yaboc

Member

pbxgeek

Well-Known Member

yaboc

Member

pbxgeek

Well-Known Member

yaboc

Member

pbxgeek

Well-Known Member

ja133

Member

yaboc

Member

ja133

Member

yaboc

Member

ja133

Member

pbxgeek

Well-Known Member

yaboc

Member