Sophos Firewall 21 daily letsencrypt request error

Question

Apparently since the last firmware update my Sophos Home Firewall has been renewing my LetsEncrypt certificates daily, which has caused an error on LetsEncrypts end since I am basically flooding their service. This has resulted in all of the letsencrypt certs not being renewed and I have had to disable the function in order to let the clock reset. 
 Has anyone else had this bug?

LuCar Toni · Answer

SFOS should only try it once per day (not multiple times). We have some improvements to change the timer of this action to be on a different time of the day to spread the renewal process. But basically i would rather recommend to check the reason for the first fail in the logs. 
 If you used the EAP to generate the LE - Please delete the certificate and create a new one.

AttilaKovacs · Answer

Which version are you on currently? There has been an issue when the renewal could get stuck in a loop even though the validation was successful for a domain, which would eventually cause the rate limit to trigger on the Let's Encrypt side, blocking you from using the service for a while. This should now be fixed in v21 MR1.

AttilaKovacs · Answer

Yes, unfortunately if you run into the rate limit issue, then all your certificates will be flagged on the UI, however that's not a valid error flag, all are usable, except the one with the type CSR, which is also the one causing the issue itself. It was the one that hit the rate limit due to the bug I've mentioned. You have to delete that CSR and wait at least one week before trying to recreate it, otherwise it will just reset the rate limit ban. The warning flag should disappear from the other certificates after the next refresh cycle, which happens randomly during the night, so you can expect them to disappear the day after you have removed the CSR.

Sophos Firewall 21 daily letsencrypt request error

Top Replies