Let's encrypt error

After I enabled the Let's encrypt (Under WAF) , I get this error:

Logging:

2018:09:24-12:14:12 mail letsencrypt[8563]: I Create account: creating new Let's Encrypt acccount
2018:09:24-12:14:12 mail letsencrypt[8563]: E Create account: TOS_UNAVAILABLE: Failed to retrieve current Terms of Service from remote server: 500 SSL_ca_path /etc/ssl/certs is not accessable
2018:09:24-12:14:12 mail letsencrypt[8563]: E Create account: failed to create account
Parents
  • twister5800 said:

    After I enabled the Let's encrypt (Under WAF) , I get this error: 

    Thanks for reporting this. Unfortunately the permissions of /etc/ssl/certs are no set properly by the Beta update.

    You can fix this on the command line:

    chmod 0755 /etc/ssl/certs

    Then try again to enable Let's Encrypt.

    We're tracking this as NUTM-10315.

  • And we are happy:

    2018:09:24-13:48:39 mail letsencrypt[22832]: I Create account: creating new Let's Encrypt acccount
    2018:09:24-13:48:40 mail letsencrypt[22832]: I Create account: running command: /var/storage/chroot-reverseproxy/usr/dehydrated/bin/dehydrated -f /var/storage/chroot-reverseproxy/usr/dehydrated/conf/config --register --accept-terms



    :-)

    -----

    Best regards
    Martin

    Sophos XGS 2100 @ Home | Sophos v20 Architect

  • You can type wildcard names, which gives error notifications, UTM should deny even creating them in Webadmin :-)

     
    2018:09:24-13:52:06 mail letsencrypt[23910]: E Renew certificate: COMMAND_FAILED: Connection: close
    2018:09:24-13:52:06 mail letsencrypt[23910]: E Renew certificate: COMMAND_FAILED:
    2018:09:24-13:52:06 mail letsencrypt[23910]: E Renew certificate: COMMAND_FAILED: {
    2018:09:24-13:52:06 mail letsencrypt[23910]: E Renew certificate: COMMAND_FAILED: "type": "urn:acme:error:malformed",
    2018:09:24-13:52:06 mail letsencrypt[23910]: E Renew certificate: COMMAND_FAILED: "detail": "Error creating new authz :: Wildcard names not supported",
    2018:09:24-13:52:06 mail letsencrypt[23910]: E Renew certificate: COMMAND_FAILED: "status": 400
    2018:09:24-13:52:06 mail letsencrypt[23910]: E Renew certificate: COMMAND_FAILED: }
    2018:09:24-13:52:07 mail letsencrypt[23910]: I Renew certificate: sending notification WARN-603
    2018:09:24-13:52:07 mail letsencrypt[23910]: [WARN-603] Let's Encrypt certificate renewal failed accessing Let's Encrypt service
    2018:09:24-13:52:07 mail letsencrypt[23910]: I Renew certificate: execution completed (CSRs renewed: 0, failed: 1)
     
     

    -----

    Best regards
    Martin

    Sophos XGS 2100 @ Home | Sophos v20 Architect

  • twister5800 said:

    You can type wildcard names, which gives error notifications, UTM should deny even creating them in Webadmin :-)

    2018:09:24-13:52:06 mail letsencrypt[23910]: E Renew certificate: COMMAND_FAILED: Connection: close
    2018:09:24-13:52:06 mail letsencrypt[23910]: E Renew certificate: COMMAND_FAILED:
    2018:09:24-13:52:06 mail letsencrypt[23910]: E Renew certificate: COMMAND_FAILED: {
    2018:09:24-13:52:06 mail letsencrypt[23910]: E Renew certificate: COMMAND_FAILED: "type": "urn:acme:error:malformed",
    2018:09:24-13:52:06 mail letsencrypt[23910]: E Renew certificate: COMMAND_FAILED: "detail": "Error creating new authz :: Wildcard names not supported",
    2018:09:24-13:52:06 mail letsencrypt[23910]: E Renew certificate: COMMAND_FAILED: "status": 400
    2018:09:24-13:52:06 mail letsencrypt[23910]: E Renew certificate: COMMAND_FAILED: }
    2018:09:24-13:52:07 mail letsencrypt[23910]: I Renew certificate: sending notification WARN-603
    2018:09:24-13:52:07 mail letsencrypt[23910]: [WARN-603] Let's Encrypt certificate renewal failed accessing Let's Encrypt service
    2018:09:24-13:52:07 mail letsencrypt[23910]: I Renew certificate: execution completed (CSRs renewed: 0, failed: 1)

    Thank you for your feedback. We've filed this issue internally and are tracking it now as NUTM-10316.

  • twister5800 said:

    You can type wildcard names, which gives error notifications, UTM should deny even creating them in Webadmin :-)

     

     
    No please don't deny it, but properly support wildcard domains (which are supported by Let's Encrypt).

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • Perfectly agree ;)

    -----

    Best regards
    Martin

    Sophos XGS 2100 @ Home | Sophos v20 Architect

  • Real support for wildcard domains is definitely out of scope for UTM 9.6. If you really need wildcard support for Let's Encrypt certificates, please raise it as a feature request on https://ideas.sophos.com/.

    Sorry!

  • apijnappels said:
    No please don't deny it, but properly support wildcard domains (which are supported by Let's Encrypt).

    As you can see from the logs, sophos is using the "old" Letsencrypt API. From this API, it's not supported to create Wildcard Certificates.

    So it would be a huge effort for them to change this behavior.

    Please send me Spam gueselkuebel@sg-utm.also-solutions.ch

  • Reply Children