Let's Encrypt Certificate Generation Failed

I'm trying to set up lets encrypt certificates for my user portal for the first time and am getting an error when trying to create them. This is the log (actual domains/IPs replaced with placeholders):

2019:12:20-09:33:02 remote letsencrypt[465]: I Renew certificate: handling CSR REF_CaCsrRemote for domain set [remote.domain.com]
2019:12:20-09:33:02 remote letsencrypt[465]: I Renew certificate: running command: /var/storage/chroot-reverseproxy/usr/dehydrated/bin/dehydrated -x -f /var/storage/chroot-reverseproxy/usr/dehydrated/conf/config -c --accept-terms --domain remote.domain.com
2019:12:20-09:33:21 remote letsencrypt[465]: I Renew certificate: command completed with exit code 256
2019:12:20-09:33:21 remote letsencrypt[465]: E Renew certificate: COMMAND_FAILED: ERROR: Challenge is invalid! (returned: invalid) (result: {
2019:12:20-09:33:21 remote letsencrypt[465]: E Renew certificate: COMMAND_FAILED: "type": "http-01",
2019:12:20-09:33:21 remote letsencrypt[465]: E Renew certificate: COMMAND_FAILED: "status": "invalid",
2019:12:20-09:33:21 remote letsencrypt[465]: E Renew certificate: COMMAND_FAILED: "error": {
2019:12:20-09:33:21 remote letsencrypt[465]: E Renew certificate: COMMAND_FAILED: "type": "urn:ietf:params:acme:error:connection",
2019:12:20-09:33:21 remote letsencrypt[465]: E Renew certificate: COMMAND_FAILED: "detail": "Fetching remote.domain.com/.../ipM_zY4XPqCtV8KPSAPmOrX61DQ2MYSvvHDutyc0ubQ: Timeout during connect (likely firewall problem)",
2019:12:20-09:33:21 remote letsencrypt[465]: E Renew certificate: COMMAND_FAILED: "status": 400
2019:12:20-09:33:21 remote letsencrypt[465]: E Renew certificate: COMMAND_FAILED: },
2019:12:20-09:33:21 remote letsencrypt[465]: E Renew certificate: COMMAND_FAILED: "url": "acme-v02.api.letsencrypt.org/.../nLm_kg",
2019:12:20-09:33:21 remote letsencrypt[465]: E Renew certificate: COMMAND_FAILED: "token": "ipM_zY4XPqCtV8KPSAPmOrX61DQ2MYSvvHDutyc0ubQ",
2019:12:20-09:33:21 remote letsencrypt[465]: E Renew certificate: COMMAND_FAILED: "validationRecord": [
2019:12:20-09:33:21 remote letsencrypt[465]: E Renew certificate: COMMAND_FAILED: {
2019:12:20-09:33:21 remote letsencrypt[465]: E Renew certificate: COMMAND_FAILED: "url": "remote.domain.com/.../ipM_zY4XPqCtV8KPSAPmOrX61DQ2MYSvvHDutyc0ubQ",
2019:12:20-09:33:21 remote letsencrypt[465]: E Renew certificate: COMMAND_FAILED: "hostname": "remote.domain.com",
2019:12:20-09:33:21 remote letsencrypt[465]: E Renew certificate: COMMAND_FAILED: "port": "80",
2019:12:20-09:33:21 remote letsencrypt[465]: E Renew certificate: COMMAND_FAILED: "addressesResolved": [
2019:12:20-09:33:21 remote letsencrypt[465]: E Renew certificate: COMMAND_FAILED: "111.111.111.111"
2019:12:20-09:33:21 remote letsencrypt[465]: E Renew certificate: COMMAND_FAILED: ],
2019:12:20-09:33:21 remote letsencrypt[465]: E Renew certificate: COMMAND_FAILED: "addressUsed": "111.111.111.111"
2019:12:20-09:33:21 remote letsencrypt[465]: E Renew certificate: COMMAND_FAILED: }
2019:12:20-09:33:21 remote letsencrypt[465]: E Renew certificate: COMMAND_FAILED: ]
2019:12:20-09:33:21 remote letsencrypt[465]: E Renew certificate: COMMAND_FAILED: })
2019:12:20-09:33:22 remote letsencrypt[465]: I Renew certificate: sending notification WARN-603
2019:12:20-09:33:22 remote letsencrypt[465]: [WARN-603] Let's Encrypt certificate renewal failed accessing Let's Encrypt service
2019:12:20-09:33:22 remote letsencrypt[465]: I Renew certificate: execution completed (CSRs renewed: 0, failed: 1)

 

Can anyone help with this?

  • Hi  

    Does your UTM have a Public IP on WAN Interface or a private IP from ISP or upstream device?

    When Let's Encrypt service in the UTM is activated, it will generate a token for the domain which needs to be verified by Let's Encrypt server. So when the server initiates a connection and tries to search for the specific path for the token, it would retrieve it and mark it successful. In your case, the server is not able to fetch the token.

  • In reply to Jaydeep:

    The UTM has a public IP address on the interface which is the one given by my ISP - it's just the external address for my network. 

  • In reply to Jaydeep:

    We have our user portal running on port 4443 and it is accessible at https://remote.domain.com:4443

    Could this different port have anything to do with it?

  • In reply to Josh Marchant:

    Hello Josh,

    you can't use port 4443 for the validation process of Let's Encrypt, because they don't know about that port being opened.

    You have to use port 80 and 443, see this link: https://letsencrypt.org/docs/allow-port-80/

  • In reply to jprusch:

    Ok, that brings me to the next problem then. When I change the port to 443 it just doesn't work at all. 

  • In reply to Josh Marchant:

    Hello Josh,

    that's NOT the userportal you need to change. This is meant be one or more webservers behind the UTM as target for the requests where the token can be placed on to be verified by the let's encrypt machanisms.

  • In reply to jprusch:

    Hi,

    Sorry but I don't quite understand what you mean. I do not have any additional web servers set up behind the UTM, I just need the certificate for use with the user portal (currently on port 4443). Ideally, I would like the user portal to be accessible externally on 443 so the user does not need to enter a port number in the address. 

    Thanks

    Josh

  • I've fixed this now. There was a DNAT rule pointing all external HTTP/HTTPS traffic to a local host that didn't exist. After turning this off the user portal worked fine on port 443 and the certificate was generated.