Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 5 subscribers
  • Views 3655 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unable to generate Let's Encrypt certificate - ERROR: Challenge is invalid! (returned: invalid)

Chris Bhatt

Hi,

I am having issues renewing and generating Let's Encrypt Certificates on UTM version 9.703-3

Initially I tried renewing the certificate and that failed every time a renewal took place so, after reading a number of posts on this forum of others who had this problem I disabled DNAT and Country Blocking and deleted the existing Let's Encrypt certificate for this hostname in the hope that creating a new one would succeed. Unfortunately that's failing too. Given the number of failed renewals, perhaps it is possible my IP address is on a banned list?

I don't believe port 80 is being forwarded anywhere. There's no DNAT rule for port 80 (DNAT is currently disabled) but I'm not tremendously familar with the Sophos UTM product so you'll need to be patient with me.

Can someone point me in the right direction as to why I can't seem to generate a Let's Encrypt certifcate for utm.bhatt-consulting.com? I could generate one in version 9.5 a long time ago and managed to create other certificates in April for my email server but am concerned that that will also need to be renewed soon and will also fail.

Happy to supply additional information if needed.

The log file from the UTM shows the following:

2020:05:15-18:05:03 utm letsencrypt[44230]: I Renew certificate: handling CSR REF_CaCsrUtmbhattco for domain set [utm.bhatt-consulting.com]
2020:05:15-18:05:04 utm letsencrypt[44230]: I Renew certificate: running command: /var/storage/chroot-reverseproxy/usr/dehydrated/bin/dehydrated -x -f /var/storage/chroot-reverseproxy/usr/dehydrated/conf/config -c --accept-terms --domain utm.bhatt-consulting.com
2020:05:15-18:05:26 utm letsencrypt[44230]: I Renew certificate: command completed with exit code 256
2020:05:15-18:05:26 utm letsencrypt[44230]: E Renew certificate: COMMAND_FAILED: ERROR: Challenge is invalid! (returned: invalid) (result: {
2020:05:15-18:05:26 utm letsencrypt[44230]: E Renew certificate: COMMAND_FAILED: "type": "http-01",
2020:05:15-18:05:26 utm letsencrypt[44230]: E Renew certificate: COMMAND_FAILED: "status": "invalid",
2020:05:15-18:05:26 utm letsencrypt[44230]: E Renew certificate: COMMAND_FAILED: "error": {
2020:05:15-18:05:26 utm letsencrypt[44230]: E Renew certificate: COMMAND_FAILED: "type": "urn:ietf:params:acme:error:connection",
2020:05:15-18:05:26 utm letsencrypt[44230]: E Renew certificate: COMMAND_FAILED: "detail": "Fetching utm.bhatt-consulting.com/.../XQQMIkZLl-VmCNmzKk4dE65JUnfNUbCaAY3oY656HDM: Connection refused",
2020:05:15-18:05:26 utm letsencrypt[44230]: E Renew certificate: COMMAND_FAILED: "status": 400
2020:05:15-18:05:26 utm letsencrypt[44230]: E Renew certificate: COMMAND_FAILED: },
2020:05:15-18:05:26 utm letsencrypt[44230]: E Renew certificate: COMMAND_FAILED: "url": "acme-v02.api.letsencrypt.org/.../bnxBCw",
2020:05:15-18:05:26 utm letsencrypt[44230]: E Renew certificate: COMMAND_FAILED: "token": "XQQMIkZLl-VmCNmzKk4dE65JUnfNUbCaAY3oY656HDM",
2020:05:15-18:05:26 utm letsencrypt[44230]: E Renew certificate: COMMAND_FAILED: "validationRecord": [
2020:05:15-18:05:26 utm letsencrypt[44230]: E Renew certificate: COMMAND_FAILED: {
2020:05:15-18:05:26 utm letsencrypt[44230]: E Renew certificate: COMMAND_FAILED: "url": "utm.bhatt-consulting.com/.../XQQMIkZLl-VmCNmzKk4dE65JUnfNUbCaAY3oY656HDM",
2020:05:15-18:05:26 utm letsencrypt[44230]: E Renew certificate: COMMAND_FAILED: "hostname": "utm.bhatt-consulting.com",
2020:05:15-18:05:26 utm letsencrypt[44230]: E Renew certificate: COMMAND_FAILED: "port": "80",
2020:05:15-18:05:26 utm letsencrypt[44230]: E Renew certificate: COMMAND_FAILED: "addressesResolved": [
2020:05:15-18:05:26 utm letsencrypt[44230]: E Renew certificate: COMMAND_FAILED: "212.159.69.80"
2020:05:15-18:05:26 utm letsencrypt[44230]: E Renew certificate: COMMAND_FAILED: ],
2020:05:15-18:05:26 utm letsencrypt[44230]: E Renew certificate: COMMAND_FAILED: "addressUsed": "212.159.69.80"
2020:05:15-18:05:26 utm letsencrypt[44230]: E Renew certificate: COMMAND_FAILED: }
2020:05:15-18:05:26 utm letsencrypt[44230]: E Renew certificate: COMMAND_FAILED: ]
2020:05:15-18:05:26 utm letsencrypt[44230]: E Renew certificate: COMMAND_FAILED: })
2020:05:15-18:05:27 utm letsencrypt[44230]: I Renew certificate: sending notification WARN-603
2020:05:15-18:05:27 utm letsencrypt[44230]: [WARN-603] Let's Encrypt certificate renewal failed accessing Let's Encrypt service
2020:05:15-18:05:27 utm letsencrypt[44230]: I Renew certificate: execution completed (CSRs renewed: 0, failed: 1)
 
Thanks,

Chris


This thread was automatically locked due to age.
Parents
  • 0

    Hello Chris,

    Thank you for contacting the Sophos Community.

    I tried your website and it does seem like a DNAT rule is still enabled http://utm.bhatt-consulting.com/ as it redirects me to a "You don't have permission to access / on this server."

    Please send me a screenshot of your DNAT, make sure there is not a DNAT rule with service as ANY. Also make sure that there is not port 443 in a DNAT rule as this would also make it fail.

    The IP 212.159.69.80 terminates on the UTM, correct?

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • 0 in reply to emmosophos

    Thanks Emmosophos.

    I was dabbling with trying to create a webserver / website so had created DNAT rules for ports 80 and 443 in the past but wasn't having much luck getting my website to work so deleted those DNAT rules from the UTM GUI. Perhaps something still remains in the background that can be seen from command line rather than in the GUI? Perhaps there is a command line command I can run to display all DNAT rules?

    212.159.69.80 is the external wan address which terminates at the UTM.

    I still have a DNAT rule to allow RDP access to one of my servers but have turned that off to see if it made any difference.

    Thanks,

    Chris

  • 0 in reply to Chris Bhatt

    Hi Chris and welcome to the UTM Community!

    Are you sure you don't have Webserver Protection activated?  There's an issue if the Virtual Server is of Type "Encrypted (HTTPS) and redirect."  Temporarily change that to "Encrypted (HTTPS)" and try again.  Afterwards, you can change it back to redirect.  Any better luck?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Thanks Bob.

    I just checked to see and somehow it is all working (see above)! The certificate renewed itself automatically at 05:30hrs UK time. I'm not sure why it suddenly worked this morning - the log just shows an attempt that goes through successfully (see below). So, whilst I'm happy the certificate is renewed and the problem has gone away, not understanding why it suddenly worked doesn't help me solve it when the problem happens again next time. Perhaps I had gone over the 5 tries within 5 days rule? I wish I could advise what change made this possible so that, should someone stumble on this page in the future, an answer could be provided but I can't.

     

    Nonetheless, my thanks to those who looked into this issue, whether they posted or not.

     

    2020:05:17-05:30:01 utm letsencrypt[29087]: I Check renewal: skip REF_CaCsrWwwbhattco2 (domains: www.bhatt-consulting.com): certificate valid until Jul 13 19:52:17 2020 GMT (longer than 30 days)
2020:05:17-05:30:01 utm letsencrypt[29087]: I Check renewal: skip REF_CaCsrMailbhattc (domains: mail.bhatt-consulting.com, autodiscover.bhatt-consulting.com): certificate valid until Jul 12 18:34:36 2020 GMT (longer than 30 days)
2020:05:17-05:30:01 utm letsencrypt[29087]: I Check renewal: skip REF_CaCsrWwwbhattco3 (domains: www.bhatt-consulting.com): certificate valid until Jul 13 19:54:47 2020 GMT (longer than 30 days)
2020:05:17-05:30:01 utm letsencrypt[29087]: I Check renewal: renew REF_CaCsrUtmbhattco (domains: utm.bhatt-consulting.com): certificate valid until Jan  1 00:00:01 2038 GMT (temporary certificate)
2020:05:17-05:31:02 utm letsencrypt[29686]: I Renew certificate: handling CSR REF_CaCsrUtmbhattco for domain set [utm.bhatt-consulting.com]
2020:05:17-05:31:02 utm letsencrypt[29686]: I Renew certificate: running command: /var/storage/chroot-reverseproxy/usr/dehydrated/bin/dehydrated -x -f /var/storage/chroot-reverseproxy/usr/dehydrated/conf/config -c --accept-terms --domain utm.bhatt-consulting.com
2020:05:17-05:31:30 utm letsencrypt[29686]: I Renew certificate: command completed with exit code 0
2020:05:17-05:31:30 utm letsencrypt[29686]: I Renew certificate: temporary certificate exists, updating from /var/storage/chroot-reverseproxy/var/lib/dehydrated/cert_data/certs/utm.bhatt-consulting.com/fullchain.pem
2020:05:17-05:31:33 utm letsencrypt[29686]: I Renew certificate: updated certificate REF_abUfqqqVALxH of CSR REF_CaCsrUtmbhattco
2020:05:17-05:31:33 utm letsencrypt[29686]: I Renew certificate: execution completed (CSRs renewed: 1, failed: 0)
Reply
  • 0 in reply to BAlfson

    Thanks Bob.

    I just checked to see and somehow it is all working (see above)! The certificate renewed itself automatically at 05:30hrs UK time. I'm not sure why it suddenly worked this morning - the log just shows an attempt that goes through successfully (see below). So, whilst I'm happy the certificate is renewed and the problem has gone away, not understanding why it suddenly worked doesn't help me solve it when the problem happens again next time. Perhaps I had gone over the 5 tries within 5 days rule? I wish I could advise what change made this possible so that, should someone stumble on this page in the future, an answer could be provided but I can't.

     

    Nonetheless, my thanks to those who looked into this issue, whether they posted or not.

     

    2020:05:17-05:30:01 utm letsencrypt[29087]: I Check renewal: skip REF_CaCsrWwwbhattco2 (domains: www.bhatt-consulting.com): certificate valid until Jul 13 19:52:17 2020 GMT (longer than 30 days)
2020:05:17-05:30:01 utm letsencrypt[29087]: I Check renewal: skip REF_CaCsrMailbhattc (domains: mail.bhatt-consulting.com, autodiscover.bhatt-consulting.com): certificate valid until Jul 12 18:34:36 2020 GMT (longer than 30 days)
2020:05:17-05:30:01 utm letsencrypt[29087]: I Check renewal: skip REF_CaCsrWwwbhattco3 (domains: www.bhatt-consulting.com): certificate valid until Jul 13 19:54:47 2020 GMT (longer than 30 days)
2020:05:17-05:30:01 utm letsencrypt[29087]: I Check renewal: renew REF_CaCsrUtmbhattco (domains: utm.bhatt-consulting.com): certificate valid until Jan  1 00:00:01 2038 GMT (temporary certificate)
2020:05:17-05:31:02 utm letsencrypt[29686]: I Renew certificate: handling CSR REF_CaCsrUtmbhattco for domain set [utm.bhatt-consulting.com]
2020:05:17-05:31:02 utm letsencrypt[29686]: I Renew certificate: running command: /var/storage/chroot-reverseproxy/usr/dehydrated/bin/dehydrated -x -f /var/storage/chroot-reverseproxy/usr/dehydrated/conf/config -c --accept-terms --domain utm.bhatt-consulting.com
2020:05:17-05:31:30 utm letsencrypt[29686]: I Renew certificate: command completed with exit code 0
2020:05:17-05:31:30 utm letsencrypt[29686]: I Renew certificate: temporary certificate exists, updating from /var/storage/chroot-reverseproxy/var/lib/dehydrated/cert_data/certs/utm.bhatt-consulting.com/fullchain.pem
2020:05:17-05:31:33 utm letsencrypt[29686]: I Renew certificate: updated certificate REF_abUfqqqVALxH of CSR REF_CaCsrUtmbhattco
2020:05:17-05:31:33 utm letsencrypt[29686]: I Renew certificate: execution completed (CSRs renewed: 1, failed: 0)
Children
No Data
Unfiltered HTML