Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1 reply
  • Subscribers 3 subscribers
  • Views 11809 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Renewal Let's Encrypt Certificate does not work reliably

Alfy

Hello everybody,

For some days my Sophos UTM (firmware 9.601-5) has had strange problems with renewal of the Let's Encrypt certificate. Sometimes it works, but mostly not. I get the following error messages:

WebAdmin:
An error occurred while communicating with the Let's Encrypt server. Automatic renewals will try again during the next renewal attempt. Manual renewal can be attempted again at any time.

E-Mail:
[WARN-603] Let's Encrypt certificate renewal failed accessing Let's Encrypt service
Renewing Let's Encrypt certificate 'Test' has failed.
Reason for failure: An error occurred while communicating with the Let's Encrypt server.

Let's Encrypt Log:
2019:03:10-22:13:39 httpd[27149]: Restarting gracefully
2019:03:10-22:13:39 httpd[27153]: Not running
2019:03:10-22:13:39 httpd[27157]: Starting
2019:03:10-22:13:39 httpd[27164]: AH00112: Warning: DocumentRoot [/var/www/REF_DefaultInternalAddress] does not exist
2019:03:10-22:13:39 httpd[27164]: Syntax OK
2019:03:10-22:13:40 httpd[27190]: AH00112: Warning: DocumentRoot [/var/www/REF_DefaultInternalAddress] does not exist
2019:03:10-22:13:41 httpd[27192]: [proxy_protocol:notice] [pid 27192:tid 4147685056] ProxyProtocol: disabled on 127.0.0.1:4080
2019:03:10-22:13:41 httpd[27192]: [security2:notice] [pid 27192:tid 4147685056] ModSecurity for Apache/2.9.1 (http://www.modsecurity.org/) configured.
2019:03:10-22:13:42 httpd[27194]: [proxy_protocol:notice] [pid 27194:tid 4147685056] ProxyProtocol: disabled on 127.0.0.1:4080
2019:03:10-22:13:42 httpd[27194]: [mpm_worker:notice] [pid 27194:tid 4147685056] AH00292: Apache/2.4.25 (Unix) OpenSSL/1.0.2j-fips configured -- resuming normal operations
2019:03:10-22:13:42 httpd[27194]: [core:notice] [pid 27194:tid 4147685056] AH00094: Command line: '/usr/apache/bin/httpd'
2019:03:10-22:13:42 httpd[27360]: Started
2019:03:10-22:14:08 httpd[27812]: Stopping
2019:03:10-22:14:08 httpd[27819]: AH00112: Warning: DocumentRoot [/var/www/REF_DefaultInternalAddress] does not exist
2019:03:10-22:14:08 httpd[27819]: Syntax OK
2019:03:10-22:14:09 httpd[27839]: AH00112: Warning: DocumentRoot [/var/www/REF_DefaultInternalAddress] does not exist
2019:03:10-22:14:09 httpd[27194]: [mpm_worker:notice] [pid 27194:tid 4147685056] AH00295: caught SIGTERM, shutting down
2019:03:10-22:14:10 httpd[27850]: Stopped
2019:03:10-22:15:22 httpd[28188]: Restarting gracefully
2019:03:10-22:15:22 httpd[28192]: Not running
2019:03:10-22:15:22 httpd[28196]: Starting
2019:03:10-22:15:22 httpd[28200]: AH00112: Warning: DocumentRoot [/var/www/REF_DefaultInternalAddress] does not exist
2019:03:10-22:15:22 httpd[28200]: Syntax OK
2019:03:10-22:15:23 httpd[28229]: AH00112: Warning: DocumentRoot [/var/www/REF_DefaultInternalAddress] does not exist
2019:03:10-22:15:24 httpd[28228]: [proxy_protocol:notice] [pid 28228:tid 4147631808] ProxyProtocol: disabled on 127.0.0.1:4080
2019:03:10-22:15:24 httpd[28228]: [security2:notice] [pid 28228:tid 4147631808] ModSecurity for Apache/2.9.1 (http://www.modsecurity.org/) configured.
2019:03:10-22:15:25 httpd[28235]: [proxy_protocol:notice] [pid 28235:tid 4147631808] ProxyProtocol: disabled on 127.0.0.1:4080
2019:03:10-22:15:25 httpd[28235]: [mpm_worker:notice] [pid 28235:tid 4147631808] AH00292: Apache/2.4.25 (Unix) OpenSSL/1.0.2j-fips configured -- resuming normal operations
2019:03:10-22:15:25 httpd[28235]: [core:notice] [pid 28235:tid 4147631808] AH00094: Command line: '/usr/apache/bin/httpd'
2019:03:10-22:15:25 httpd[28401]: Started
2019:03:10-22:16:12 httpd: id="0299" srcip="66.133.109.36" localip="XXXXXXX" size="87" user="-" host="66.133.109.36" method="GET" statuscode="200" reason="-" extra="-" exceptions="SkipBlacklistDNSRBL, SkipBlacklistGeoIP, SkipAntiVirus, SkipTFT, SkipURLHardening, SkipThreatsFilter" time="744" url="/.well-known/acme-challenge/Ze2XJ-DzxmJQuiCsNWv9jownQRxBNUTlEl3Hpzn4Kww" server="XXXXXXX.de" port="80" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="XIV@nAoeUAEAAG7zltsAAAAA"
2019:03:10-22:16:14 httpd[29034]: Stopping
2019:03:10-22:16:14 httpd[29041]: AH00112: Warning: DocumentRoot [/var/www/REF_DefaultInternalAddress] does not exist
2019:03:10-22:16:14 httpd[29041]: Syntax OK
2019:03:10-22:16:14 httpd[29061]: AH00112: Warning: DocumentRoot [/var/www/REF_DefaultInternalAddress] does not exist
2019:03:10-22:16:14 httpd[28235]: [mpm_worker:notice] [pid 28235:tid 4147631808] AH00295: caught SIGTERM, shutting down
2019:03:10-22:16:15 httpd[29071]: Stopped

My Sophos UTM has a static public IPv4 and IPv6 address.

So far, I've tried the following to solve the problem.

1. Disable and re-enable Let's Encrypt (Web Server Protection -> Certificate Management -> Advanced -> Let's Encryption Certificates) [this works fine]
2. Global deactivation of IPv6 (Interfaces & Routing -> IPv6 -> Global)
3. Global deactivation of country blocking.
4. I also made sure that there are no DNAT rules.
5. Disable DNSSEC on the DNS server responsible for the TLD.
6. Create a firewall rule that allows HTTP(S) and DNS access to the firewall's public IP interface.
7. Many restarts of the Sophos UTM.

I am desperate and have no ideas what I could try. I hope someone can help me. I do not understand why the renewal of the certificate in rare cases works, but mostly not.
Many thanks.



This thread was automatically locked due to age.
Unfiltered HTML