I'm not able to get a valid Let's Encrypt certificate.
In the Logs I have the following:
2019:02:21-05:07:03 gate letsencrypt[25571]: I Check renewal: renew REF_CaCsrG*******n (domains: ga***********.ch): certificate valid until Jan 1 00:00:01 2038 GMT (temporary certificate)
2019:02:21-05:08:03 gate letsencrypt[25891]: I Renew certificate: handling CSR REF_CaCsrG*******n for domain set [ga***********.ch]
2019:02:21-05:08:04 gate letsencrypt[25891]: I Renew certificate: running command: /var/storage/chroot-reverseproxy/usr/dehydrated/bin/dehydrated -x -f /var/storage/chroot-reverseproxy/usr/dehydrated/conf/config -c --accept-terms --domain ga***********.ch
2019:02:21-05:08:38 gate letsencrypt[25891]: I Renew certificate: command completed with exit code 256
2019:02:21-05:08:38 gate letsencrypt[25891]: E Renew certificate: COMMAND_FAILED: ERROR: Challenge is invalid! (returned: invalid) (result: {
2019:02:21-05:08:38 gate letsencrypt[25891]: E Renew certificate: COMMAND_FAILED: "type": "http-01",
2019:02:21-05:08:38 gate letsencrypt[25891]: E Renew certificate: COMMAND_FAILED: "status": "invalid",
2019:02:21-05:08:38 gate letsencrypt[25891]: E Renew certificate: COMMAND_FAILED: "error": {
2019:02:21-05:08:38 gate letsencrypt[25891]: E Renew certificate: COMMAND_FAILED: "type": "urn:acme:error:connection",
2019:02:21-05:08:38 gate letsencrypt[25891]: E Renew certificate: COMMAND_FAILED: "detail": "Fetching ga***********.ch/.../-6Wi_R9aEmcMIpOyAZ2-qCNDTRu6_eNiRdAkvLYiD0s: Timeout during connect (likely firewall problem)",
2019:02:21-05:08:38 gate letsencrypt[25891]: E Renew certificate: COMMAND_FAILED: "status": 400
2019:02:21-05:08:38 gate letsencrypt[25891]: E Renew certificate: COMMAND_FAILED: },
2019:02:21-05:08:38 gate letsencrypt[25891]: E Renew certificate: COMMAND_FAILED: "uri": "acme-v01.api.letsencrypt.org/.../12820172239",
2019:02:21-05:08:38 gate letsencrypt[25891]: E Renew certificate: COMMAND_FAILED: "token": "-6Wi_R9aEmcMIpOyAZ2-qCNDTRu6_eNiRdAkvLYiD0s",
2019:02:21-05:08:38 gate letsencrypt[25891]: E Renew certificate: COMMAND_FAILED: "validationRecord": [
2019:02:21-05:08:38 gate letsencrypt[25891]: E Renew certificate: COMMAND_FAILED: {
2019:02:21-05:08:38 gate letsencrypt[25891]: E Renew certificate: COMMAND_FAILED: "url": "ga***********.ch/.../-6Wi_R9aEmcMIpOyAZ2-qCNDTRu6_eNiRdAkvLYiD0s",
2019:02:21-05:08:38 gate letsencrypt[25891]: E Renew certificate: COMMAND_FAILED: "hostname": "ga***********.ch",
2019:02:21-05:08:38 gate letsencrypt[25891]: E Renew certificate: COMMAND_FAILED: "port": "80",
2019:02:21-05:08:38 gate letsencrypt[25891]: E Renew certificate: COMMAND_FAILED: "addressesResolved": [
2019:02:21-05:08:38 gate letsencrypt[25891]: E Renew certificate: COMMAND_FAILED: "6*.***.***.**0"
2019:02:21-05:08:38 gate letsencrypt[25891]: E Renew certificate: COMMAND_FAILED: ],
2019:02:21-05:08:38 gate letsencrypt[25891]: E Renew certificate: COMMAND_FAILED: "addressUsed": "6*.***.***.**0"
2019:02:21-05:08:38 gate letsencrypt[25891]: E Renew certificate: COMMAND_FAILED: }
2019:02:21-05:08:38 gate letsencrypt[25891]: E Renew certificate: COMMAND_FAILED: ]
2019:02:21-05:08:38 gate letsencrypt[25891]: E Renew certificate: COMMAND_FAILED: })
2019:02:21-05:08:39 gate letsencrypt[25891]: I Renew certificate: sending notification WARN-603
2019:02:21-05:08:39 gate letsencrypt[25891]: [WARN-603] Let's Encrypt certificate renewal failed accessing Let's Encrypt service
2019:02:21-05:08:39 gate letsencrypt[25891]: I Renew certificate: execution completed (CSRs renewed: 0, failed: 1)
My Situation: ISP ---> Router (NAT) --> UTM
On the Router I configured a Port forwarding for Port 80 and 443.
On the UTM Interface I can see (with tcpdump) the incoming Packets from Let's encrypt (IP 66.133.109.36).
But there are retransmissions for these Packets.
It seams the UTM won't answer them.
In my opinion I have chosen the right interface to listen on (The Interface connected to the Router).
The Connection between Router and UTM resides on an VLan and the Interface on the UTM is a Trunk.
Of cause, the UTM Interface has a private IP but in my opinion, this should work because the UTM interface is reachable via FQDN.
I'm at a loss.
btw: I run some SSL-VPN's terminated on the UTM and this works without problem. So the connection from the outside should be ok...
Thanks for your help.
This thread was automatically locked due to age.