Unable to get Let's Encrypt cert: ERROR: Challenge is invalid! (returned: invalid)

Question

I'm not able to get a valid Let's Encrypt certificate. In the Logs I have the following: 
 2019:02:21-05:07:03 gate letsencrypt[25571]: I Check renewal: renew REF_CaCsrG*******n (domains: ga***********.ch): certificate valid until Jan 1 00:00:01 2038 GMT (temporary certificate) 2019:02:21-05:08:03 gate letsencrypt[25891]: I Renew certificate: handling CSR REF_CaCsrG*******n for domain set [ga***********.ch] 2019:02:21-05:08:04 gate letsencrypt[25891]: I Renew certificate: running command: /var/storage/chroot-reverseproxy/usr/dehydrated/bin/dehydrated -x -f /var/storage/chroot-reverseproxy/usr/dehydrated/conf/config -c --accept-terms --domain ga***********.ch 2019:02:21-05:08:38 gate letsencrypt[25891]: I Renew certificate: command completed with exit code 256 2019:02:21-05:08:38 gate letsencrypt[25891]: E Renew certificate: COMMAND_FAILED: ERROR: Challenge is invalid! (returned: invalid) (result: { 2019:02:21-05:08:38 gate letsencrypt[25891]: E Renew certificate: COMMAND_FAILED: "type": "http-01", 2019:02:21-05:08:38 gate letsencrypt[25891]: E Renew certificate: COMMAND_FAILED: "status": "invalid", 2019:02:21-05:08:38 gate letsencrypt[25891]: E Renew certificate: COMMAND_FAILED: "error": { 2019:02:21-05:08:38 gate letsencrypt[25891]: E Renew certificate: COMMAND_FAILED: "type": "urn:acme:error:connection", 2019:02:21-05:08:38 gate letsencrypt[25891]: E Renew certificate: COMMAND_FAILED: "detail": "Fetching ga***********.ch/.../-6Wi_R9aEmcMIpOyAZ2-qCNDTRu6_eNiRdAkvLYiD0s: Timeout during connect (likely firewall problem)", 2019:02:21-05:08:38 gate letsencrypt[25891]: E Renew certificate: COMMAND_FAILED: "status": 400 2019:02:21-05:08:38 gate letsencrypt[25891]: E Renew certificate: COMMAND_FAILED: }, 2019:02:21-05:08:38 gate letsencrypt[25891]: E Renew certificate: COMMAND_FAILED: "uri": " acme-v01.api.letsencrypt.org/.../12820172239", 2019:02:21-05:08:38 gate letsencrypt[25891]: E Renew certificate: COMMAND_FAILED: "token": "-6Wi_R9aEmcMIpOyAZ2-qCNDTRu6_eNiRdAkvLYiD0s", 2019:02:21-05:08:38 gate letsencrypt[25891]: E Renew certificate: COMMAND_FAILED: "validationRecord": [ 2019:02:21-05:08:38 gate letsencrypt[25891]: E Renew certificate: COMMAND_FAILED: { 2019:02:21-05:08:38 gate letsencrypt[25891]: E Renew certificate: COMMAND_FAILED: "url": "ga***********.ch/.../-6Wi_R9aEmcMIpOyAZ2-qCNDTRu6_eNiRdAkvLYiD0s", 2019:02:21-05:08:38 gate letsencrypt[25891]: E Renew certificate: COMMAND_FAILED: "hostname": "ga***********.ch", 2019:02:21-05:08:38 gate letsencrypt[25891]: E Renew certificate: COMMAND_FAILED: "port": "80", 2019:02:21-05:08:38 gate letsencrypt[25891]: E Renew certificate: COMMAND_FAILED: "addressesResolved": [ 2019:02:21-05:08:38 gate letsencrypt[25891]: E Renew certificate: COMMAND_FAILED: "6*.***.***.**0" 2019:02:21-05:08:38 gate letsencrypt[25891]: E Renew certificate: COMMAND_FAILED: ], 2019:02:21-05:08:38 gate letsencrypt[25891]: E Renew certificate: COMMAND_FAILED: "addressUsed": "6*.***.***.**0" 2019:02:21-05:08:38 gate letsencrypt[25891]: E Renew certificate: COMMAND_FAILED: } 2019:02:21-05:08:38 gate letsencrypt[25891]: E Renew certificate: COMMAND_FAILED: ] 2019:02:21-05:08:38 gate letsencrypt[25891]: E Renew certificate: COMMAND_FAILED: }) 2019:02:21-05:08:39 gate letsencrypt[25891]: I Renew certificate: sending notification WARN-603 2019:02:21-05:08:39 gate letsencrypt[25891]: [WARN-603] Let's Encrypt certificate renewal failed accessing Let's Encrypt service 2019:02:21-05:08:39 gate letsencrypt[25891]: I Renew certificate: execution completed (CSRs renewed: 0, failed: 1) 
 My Situation: ISP ---> Router (NAT) --> UTM On the Router I configured a Port forwarding for Port 80 and 443. On the UTM Interface I can see (with tcpdump) the incoming Packets from Let's encrypt (IP 66.133.109.36). But there are retransmissions for these Packets. It seams the UTM won't answer them. 
 In my opinion I have chosen the right interface to listen on (The Interface connected to the Router). The Connection between Router and UTM resides on an VLan and the Interface on the UTM is a Trunk. 
 Of cause, the UTM Interface has a private IP but in my opinion, this should work because the UTM interface is reachable via FQDN. 
 I'm at a loss. 
 btw: I run some SSL-VPN's terminated on the UTM and this works without problem. So the connection from the outside should be ok... 
 Thanks for your help.

dirkkotte · Accepted Answer

Hello, did you activate country blocking? Is there a DNAT rule for the external IP? both could cause problems.

Briain · Answer

Hi 
 Just a quick note to confirm that when trying to create a new L.E. certificate, the acme-v01.api.letsencrypt.org USA exception did not work for me, either (I had to change the USA country block from 'from' to 'off'). As noted above, once I had received the new certificate (and with the acme-v01.api.letsencrypt.org exception in place) I could again change the USA setting back to blcok 'from' and successfully renew the certificate; it was only necessary to disable the USA country block for the initial certificate creation process. 
 Kind regards, 
 Briain