Self-Certificate Renewal Fails with Error Generating Certificate Unknown Option 730

Mindwatering Incorporated

Author: Tripp W Black

Created: 04/21 at 02:50 PM

 

Category:
VOIP
FreePBX

Issue:
Certificate Manager fails generating replacement self-signed certificate for FreePBX appliance with: Error Generating Certificate: unknown option "730".

Cause:
The maximum length for a certificate is becoming shorter and shorter. 730 days is no longer allowed, the maximum, at the date of this writing is 398 days.

Note: 2026/04/21
- No range down to 120 works anymore. All give an error. If you go down to 90 days, the UI will reset the field back to 730 again.
- Workaround is to generate certificate manually and import via the /etc/asterisk/keys folder.


Import Workaround:


1. Create a new certificate manually with OpenSSL
a. Login:
$ ssh root@myfreepbxappliance.mindwatering.net
<enter password>

b. Change to the directory and create the new certificate:
Note:
- We can re-use the CSR and the CA from the installation
- We can also do 730 again if we want. :-)

# cd /etc/asterisk/keys/
# openssl x509 -in myfreepbxappliance.mindwatering.net.csr -out myfreepbxappliance.mindwatering.net.pem -req -signkey myfreepbxappliance.mindwatering.net.key -days 730
# openssl x509 -in myfreepbxappliance.mindwatering.net.pem -out myfreepbxappliance.mindwatering.net.crt

c. Fix ownership:
# chown asterisk:asterisk myfreepbxappliance.mindwatering.net.pem
# chown asterisk:asterisk myfreepbxappliance.mindwatering.net.crt
# ls -l
<confirm file permissions>

d. Done. Exit terminal:
# exit


2. Import the certificate
a. Navigate: FreePBX Administration --> <login username and password - Continue> --> Admin (top menu) --> Certificate Management
- Click Import Locally
<page will refresh and display the certificate>

b. If the Apply Config button (upper right) is displayed, apply the change.
- Click Apply Config (button upper right)



______________________


To Change the Number of Days and Generate a New Self-Certified:


a. Navigate: FreePBX Administration --> <login username and password - Continue> --> Settings (top menu) --> Advanced Settings
b. Under the Certificate Manager section, update the following:
- Validity period of the certificate (in days): 365
- Click Submit (button lower right)
- Click Apply Config (button upper right)

c. Navigate: FreePBX Administration --> <login username and password - Continue> --> Admin (top menu) --> Certificate Management
- Click New Certificate (button dropdown) --> click Generate Self-Signed Certificate (button sub-choice)
- Add a description: <anything you want to add>
- Click Generate Certificate (button lower right)


previous page

×