Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Lets Encypt failing

Getting the following error requesting Lets Encypt certificate

"type":"urn:ietf:params:acme:error:connection"
"detail":"xx.xx.xx.xx: Fetching xxxxxxxxxxxx/.../mhmbdFphj1tfMCrRkrqqrp2CrgNY54ipSQeI66mcGFQ: Timeout during connect (likely firewall problem)"
"status":400

Sophos says:

There are three main things to check:
• First, that the firewall port can be reached on port 80.
• Second, that the domain in the certificate request resolves the interface selected.
• Third, that there is no DNAT rule configured on port 80, as this will supersede the inbound requests

Firewall can't be reached on Port 80 - but my understanding is that port 80 is only opened for the time the certificate request is checked. I've done a packet capture on the interface WAN IP and Port 80 and nothing comes in

The domain definitely resolves to the interface selected

There are no DNAT rules configured on Port 80

Notably, I'm using Sophos XGS in Azure - but there is an inbound rule in the NSG to allow all traffic and all ports

Any ideas?



Added TAGs
[edited by: Erick Jan at 8:01 AM (GMT -8) on 7 Nov 2024]