@johnpoz That did not make any difference. After putting a CAA record in place and removing DNSSEC it starting working.

@robert-de-wit DOH!!! I was looking in ddns services ;) hehehe I don't use who ever that is, so there is no way for me to test that. Working fine here with clouldflare.

Issue resolved , I did add domains manually that ACME try to resolve : Services > DNS Resolvers> General Settings> Host Overrides [image: 1649753242141-5be85b50-3522-407f-94b3-06afafc4018f-image.png]

@mrjoli021 said in ACME cert with rackspace: tmp/acme/wc_some_domain.com/acme_issuecert.log What do you see in the file when it fails?

@jimp Excellent, thank you!

DNS-NSupdate / RFC 2136 method, using my own domain name server, works. I knew I had to look up what "BuyPass" is. What it stand for, advantages, differences. Now there is SSL.com and ZeroSSL.

The staging server is for testing and is not publicly trusted. You need to edit the account key and set it to use the production server instead, then renew the certificate.

It turned out that, after digging deeply into the issue, my domain registrar does not support DNS_NSupdate RFC2136. So, I switched name server to Cloudflare and after a few stumble, got my certificate...wipe off sweat for lots of reading, swearing, and more reading. [Fri Feb 18 13:04:37 CST 2022] Your cert is in /tmp/acme/nollivoipserver_cert//nollivoipserver.nollicomm.net/nollivoipserver.nollicomm.net.cer [Fri Feb 18 13:04:37 CST 2022] Your cert key is in /tmp/acme/nollivoipserver_cert//nollivoipserver.nollicomm.net/nollivoipserver.nollicomm.net.key [Fri Feb 18 13:04:37 CST 2022] The intermediate CA cert is in /tmp/acme/nollivoipserver_cert//nollivoipserver.nollicomm.net/ca.cer [Fri Feb 18 13:04:37 CST 2022] And the full chain certs is there: /tmp/acme/nollivoipserver_cert//nollivoipserver.nollicomm.net/fullchain.cer [Fri Feb 18 13:04:37 CST 2022] Run reload cmd: /tmp/acme/nollivoipserver_cert/reloadcmd.sh

@gertjan said in Renew Certificate Downstream: I never used something like HAproxy ; but, from what I make of it, if HAproxy is doing the TLS (https) front end, unpacking the TLS an sending plain http (NON TLS) to the back end, your PBX, then yes, no certs needed on the PBX. @johnpoz said in Renew Certificate Downstream: This is correct, if you do the ssl offload on haproxy - you don't need any sort of ssl on the backend your sending the traffic too if your sending it has just normal http traffic. Thank you all for the good sound of music...that's what I thought and is much better than leaving port 80 opens for Lets Encrypt on FreePBX to renew the certificate. This is just a cleaner method and basically creates a secure tunnel to the PBX.

@gertjan Well thats the thing... I used to do it that way but what I'm trying to do is to automate the new cert propagation on the network to avoid having to go manually everywhere every 90 days when acme update the certs with letsencrypt...

@gertjan thanks for the info. Needed that on another system right now.

@johnpoz I finally graduated from the University of Slow Learners after three years of repeating webGUI certificate class...wipe of sweat. [image: 1644723852620-screen-shot-2022-02-12-at-8.55.53-pm.png] [image: 1644723888355-screen-shot-2022-02-12-at-8.58.37-pm.png]

@gertjan Here is my thread on Let's Encrypt forum. Someone mentioned the curl POST was failing. I have the full log posted there.

Nevermind! I had the IP address entered wrong in my RP config! It worked now!

@johnpoz OMG, I just understood what you mean Sorry, it just took me few days ... I didn't knew we could do that, it's amazing ! Well, I will keep my first solution on that project as the person I'm working with also need to use domain from his clients which want keep managing their own zone. But dame, I keep that for later ! Thanks a lot !