This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM 9 & Webadmin & Letsencrypt certificate

Hi

I have UTM 9, version 9.703-3. I wanted to create a Let'sEncrypt certificate for the WebAdmin. I went to Remote Access -> Certificate Management -> New Certificate. I chose Method: Let'sEncrypt, and in Interface, the only option was "Internal (Address)". However, I got the error "An error occurred while communicating with the Let’s Encrypt server. Automatic renewals will be tried again during the next renewal attempt. Manual renewal can be attempted again at any time."

Any ideas?

The letsencrypt.log shows

2020:07:13-10:06:02 sophos letsencrypt[18586]: I Renew certificate: running command: /var/storage/chroot-reverseproxy/usr/dehydrated/bin/dehydrated -x -f /var/storage/chroot-reverseproxy/usr/dehydrated/conf/config -c --accept-terms --domain sophos.example.com
2020:07:13-10:06:23 sophos letsencrypt[18586]: I Renew certificate: command completed with exit code 256
2020:07:13-10:06:23 sophos letsencrypt[18586]: E Renew certificate: COMMAND_FAILED: ERROR: Challenge is invalid! (returned: invalid) (result: {
2020:07:13-10:06:23 sophos letsencrypt[18586]: E Renew certificate: COMMAND_FAILED:   "type": "http-01",
2020:07:13-10:06:23 sophos letsencrypt[18586]: E Renew certificate: COMMAND_FAILED:   "status": "invalid",
2020:07:13-10:06:23 sophos letsencrypt[18586]: E Renew certificate: COMMAND_FAILED:   "error": {
2020:07:13-10:06:23 sophos letsencrypt[18586]: E Renew certificate: COMMAND_FAILED:     "type": "urn:ietf:params:acme:error:connection",
2020:07:13-10:06:23 sophos letsencrypt[18586]: E Renew certificate: COMMAND_FAILED:     "detail": "Fetching sophos.example.com/.../foo_-bar: Timeout during connect (likely firewall problem)",
2020:07:13-10:06:23 sophos letsencrypt[18586]: E Renew certificate: COMMAND_FAILED:     "status": 400
2020:07:13-10:06:23 sophos letsencrypt[18586]: E Renew certificate: COMMAND_FAILED:   },
2020:07:13-10:06:23 sophos letsencrypt[18586]: E Renew certificate: COMMAND_FAILED:   "url": "acme-v02.api.letsencrypt.org/.../u0bkFQ",
2020:07:13-10:06:23 sophos letsencrypt[18586]: E Renew certificate: COMMAND_FAILED:   "token": "foo_-bar",
2020:07:13-10:06:23 sophos letsencrypt[18586]: E Renew certificate: COMMAND_FAILED:   "validationRecord": [
2020:07:13-10:06:23 sophos letsencrypt[18586]: E Renew certificate: COMMAND_FAILED:     {
2020:07:13-10:06:23 sophos letsencrypt[18586]: E Renew certificate: COMMAND_FAILED:       "url": "sophos.example.com/.../foo_-bar",
2020:07:13-10:06:23 sophos letsencrypt[18586]: E Renew certificate: COMMAND_FAILED:       "hostname": "sophos.example.com",
2020:07:13-10:06:23 sophos letsencrypt[18586]: E Renew certificate: COMMAND_FAILED:       "port": "80",
2020:07:13-10:06:23 sophos letsencrypt[18586]: E Renew certificate: COMMAND_FAILED:       "addressesResolved": [
2020:07:13-10:06:23 sophos letsencrypt[18586]: E Renew certificate: COMMAND_FAILED:         "1.2.3.4"
2020:07:13-10:06:23 sophos letsencrypt[18586]: E Renew certificate: COMMAND_FAILED:       ],
2020:07:13-10:06:23 sophos letsencrypt[18586]: E Renew certificate: COMMAND_FAILED:       "addressUsed": "1.2.3.4"
2020:07:13-10:06:23 sophos letsencrypt[18586]: E Renew certificate: COMMAND_FAILED:     }
2020:07:13-10:06:23 sophos letsencrypt[18586]: E Renew certificate: COMMAND_FAILED:   ]
2020:07:13-10:06:23 sophos letsencrypt[18586]: E Renew certificate: COMMAND_FAILED: })
2020:07:13-10:06:24 sophos letsencrypt[18586]: I Renew certificate: sending notification WARN-603
2020:07:13-10:06:24 sophos letsencrypt[18586]: [WARN-603] Let's Encrypt certificate renewal failed accessing Let's Encrypt service
2020:07:13-10:06:24 sophos letsencrypt[18586]: I Renew certificate: execution completed (CSRs renewed: 0, failed: 1)



This thread was automatically locked due to age.
Parents
  • Hello Vangelis,

    Thank you for contacting the Sophos Community.

    Yes, you need to select the WAN interface for Letsencrypt to be able to create your certificate.

    What interfaces you have configured in your UTM?

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Hello

    Thanks for the prompt reply. Indeed there is no WAN interface configured. I see that only the default internal one is defined.

      

    I would like to ask what are the security implications if I create a WAN interface. The Sophos UTM runs on AWS EC2 (from the marketplace), and a security group allows incoming traffic only from specific IPs.

    Regards

    Vangelis

  • Hello Vangelis,

    Oh I see, yes the UTM on AWS only needs one interface.

    You could create an additional interface for the UTM, and have this interface to have the Public IP, then in the Security Group just allow port 80 and 443 while the Certificate is created, and then basically open the ports you would need later on.

    However, this raises another question, what is the main goal for you to use the Let's Encrypt certificates?

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Hello

    Thanks again for the prompt reply.

    We are currently using a self-signed certificate and we would like to switch to an SSL certificate signed from a known CA (like Let's Encrypt). If we don't use Let's Encrypt we have to a) increase costs and b) manually perform the importing when it needs renewal (once every 2 years - yes it's not often). For these reasons we picked Let's Encrypt.

    Regarding the additional interface, on the EC2 security group level we a) restrict ingress to a specific set of IPs and b) restrict to port 443. Would that be a problem?

    Regards

    Vangelis

Reply
  • Hello

    Thanks again for the prompt reply.

    We are currently using a self-signed certificate and we would like to switch to an SSL certificate signed from a known CA (like Let's Encrypt). If we don't use Let's Encrypt we have to a) increase costs and b) manually perform the importing when it needs renewal (once every 2 years - yes it's not often). For these reasons we picked Let's Encrypt.

    Regarding the additional interface, on the EC2 security group level we a) restrict ingress to a specific set of IPs and b) restrict to port 443. Would that be a problem?

    Regards

    Vangelis

Children