Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • Replies 6 replies
  • Subscribers 40 subscribers
  • Views 1140 views
  • Users 0 members are here
Options
Suggested

Lets Encypt failing

Stuart James

Getting the following error requesting Lets Encypt certificate

"type":"urn:ietf:params:acme:error:connection"
"detail":"xx.xx.xx.xx: Fetching xxxxxxxxxxxx/.../mhmbdFphj1tfMCrRkrqqrp2CrgNY54ipSQeI66mcGFQ: Timeout during connect (likely firewall problem)"
"status":400

Sophos says:

There are three main things to check:
• First, that the firewall port can be reached on port 80.
• Second, that the domain in the certificate request resolves the interface selected.
• Third, that there is no DNAT rule configured on port 80, as this will supersede the inbound requests

Firewall can't be reached on Port 80 - but my understanding is that port 80 is only opened for the time the certificate request is checked. I've done a packet capture on the interface WAN IP and Port 80 and nothing comes in

The domain definitely resolves to the interface selected

There are no DNAT rules configured on Port 80

Notably, I'm using Sophos XGS in Azure - but there is an inbound rule in the NSG to allow all traffic and all ports

Any ideas?



Added TAGs
[edited by: Erick Jan at 8:01 AM (GMT -8) on 7 Nov 2024]
Parents Reply
  • 0 in reply to LuCar Toni

    GA.

    Some additional info that I've just found. If I try and access port 80 on the firewalls primary Port B address, it works fine. If I try and access port 80 on the firewalls secondary addresses, all of them fail.

    BUT, I can access ports that have active NAT rules on the secondary addresses going to various servers, so it looks like the firewall itself isn't responding to secondary addresses destined for the system itself.

    I'll keep digging a bit further and see what I can find.

Children
Unfiltered HTML