Let's encrypt error

After I enabled the Let's encrypt (Under WAF) , I get this error:

Logging:

2018:09:24-12:14:12 mail letsencrypt[8563]: I Create account: creating new Let's Encrypt acccount
2018:09:24-12:14:12 mail letsencrypt[8563]: E Create account: TOS_UNAVAILABLE: Failed to retrieve current Terms of Service from remote server: 500 SSL_ca_path /etc/ssl/certs is not accessable
2018:09:24-12:14:12 mail letsencrypt[8563]: E Create account: failed to create account
  • I'm wondering where did you find the let's encrypt setting in the first place? Can't locate it :(

  • In reply to HeineMadsen1:

    WAF --> Certificates --> Advanced ;)

  • twister5800

    After I enabled the Let's encrypt (Under WAF) , I get this error: 

    Thanks for reporting this. Unfortunately the permissions of /etc/ssl/certs are no set properly by the Beta update.

    You can fix this on the command line:

    chmod 0755 /etc/ssl/certs

    Then try again to enable Let's Encrypt.

    We're tracking this as NUTM-10315.

  • In reply to HeineMadsen1:

    HeineMadsen1

    I'm wondering where did you find the let's encrypt setting in the first place? Can't locate it :(

    You have to enable Let's Encrypt in Webserver Protection / Certificate Management / Advanced. Before you do that please change the permissions of /etc/ssl/certs on the command line as outlined in my other post.

    Then you can choose method "Let's Encrypt" when you create a new certificate.

  • In reply to ewadie:

    And we are happy:

    2018:09:24-13:48:39 mail letsencrypt[22832]: I Create account: creating new Let's Encrypt acccount
    2018:09:24-13:48:40 mail letsencrypt[22832]: I Create account: running command: /var/storage/chroot-reverseproxy/usr/dehydrated/bin/dehydrated -f /var/storage/chroot-reverseproxy/usr/dehydrated/conf/config --register --accept-terms



    :-)

  • In reply to twister5800:

    Here? Cant find it

  • In reply to twister5800:

    You can type wildcard names, which gives error notifications, UTM should deny even creating them in Webadmin :-)

     
    2018:09:24-13:52:06 mail letsencrypt[23910]: E Renew certificate: COMMAND_FAILED: Connection: close
    2018:09:24-13:52:06 mail letsencrypt[23910]: E Renew certificate: COMMAND_FAILED:
    2018:09:24-13:52:06 mail letsencrypt[23910]: E Renew certificate: COMMAND_FAILED: {
    2018:09:24-13:52:06 mail letsencrypt[23910]: E Renew certificate: COMMAND_FAILED: "type": "urn:acme:error:malformed",
    2018:09:24-13:52:06 mail letsencrypt[23910]: E Renew certificate: COMMAND_FAILED: "detail": "Error creating new authz :: Wildcard names not supported",
    2018:09:24-13:52:06 mail letsencrypt[23910]: E Renew certificate: COMMAND_FAILED: "status": 400
    2018:09:24-13:52:06 mail letsencrypt[23910]: E Renew certificate: COMMAND_FAILED: }
    2018:09:24-13:52:07 mail letsencrypt[23910]: I Renew certificate: sending notification WARN-603
    2018:09:24-13:52:07 mail letsencrypt[23910]: [WARN-603] Let's Encrypt certificate renewal failed accessing Let's Encrypt service
    2018:09:24-13:52:07 mail letsencrypt[23910]: I Renew certificate: execution completed (CSRs renewed: 0, failed: 1)
     
     
  • In reply to HeineMadsen1:

    Try the CERTIFICATES MENU :-)

  • In reply to HeineMadsen1:

    Have you installed the beta?

     

  • In reply to twister5800:

    twister5800

    You can type wildcard names, which gives error notifications, UTM should deny even creating them in Webadmin :-)

    2018:09:24-13:52:06 mail letsencrypt[23910]: E Renew certificate: COMMAND_FAILED: Connection: close
    2018:09:24-13:52:06 mail letsencrypt[23910]: E Renew certificate: COMMAND_FAILED:
    2018:09:24-13:52:06 mail letsencrypt[23910]: E Renew certificate: COMMAND_FAILED: {
    2018:09:24-13:52:06 mail letsencrypt[23910]: E Renew certificate: COMMAND_FAILED: "type": "urn:acme:error:malformed",
    2018:09:24-13:52:06 mail letsencrypt[23910]: E Renew certificate: COMMAND_FAILED: "detail": "Error creating new authz :: Wildcard names not supported",
    2018:09:24-13:52:06 mail letsencrypt[23910]: E Renew certificate: COMMAND_FAILED: "status": 400
    2018:09:24-13:52:06 mail letsencrypt[23910]: E Renew certificate: COMMAND_FAILED: }
    2018:09:24-13:52:07 mail letsencrypt[23910]: I Renew certificate: sending notification WARN-603
    2018:09:24-13:52:07 mail letsencrypt[23910]: [WARN-603] Let's Encrypt certificate renewal failed accessing Let's Encrypt service
    2018:09:24-13:52:07 mail letsencrypt[23910]: I Renew certificate: execution completed (CSRs renewed: 0, failed: 1)

    Thank you for your feedback. We've filed this issue internally and are tracking it now as NUTM-10316.

  • In reply to twister5800:

    twister5800

    You can type wildcard names, which gives error notifications, UTM should deny even creating them in Webadmin :-)

     

     
    No please don't deny it, but properly support wildcard domains (which are supported by Let's Encrypt).
  • In reply to apijnappels:

    Perfectly agree ;)

  • In reply to apijnappels:

    Real support for wildcard domains is definitely out of scope for UTM 9.6. If you really need wildcard support for Let's Encrypt certificates, please raise it as a feature request on https://ideas.sophos.com/.

    Sorry!

  • In reply to apijnappels:

    apijnappels
    No please don't deny it, but properly support wildcard domains (which are supported by Let's Encrypt).

    As you can see from the logs, sophos is using the "old" Letsencrypt API. From this API, it's not supported to create Wildcard Certificates.

    So it would be a huge effort for them to change this behavior.