This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Let's Encrypt failed with connection refused

Hi community

When I activate Let's Encrypt service, and try to adding a certificate, the certification process fails with error "connection refused". There are no DNAT rules on port 80 and 443. Country blocking is not active. Webserver protection is empty.

UTM is actual on version 9.707-5

Here is the log after I habe disabled and re-enabled the Let's Encrypt service.

2021:09:23-16:46:02 customername letsencrypt[26709]: I CONFD: Account removed because Let's Encrypt was disabled by the user
2021:09:23-16:46:28 customername letsencrypt[26747]: I Create account: creating new Let's Encrypt acccount
2021:09:23-16:46:29 customername letsencrypt[26747]: I Create account: running command: /var/storage/chroot-reverseproxy/usr/dehydrated/bin/dehydrated -f /var/storage/chroot-reverseproxy/usr/dehydrated/conf/config --register --accept-terms
2021:09:23-16:46:38 customername letsencrypt[26747]: I Create account: command completed with exit code 0
2021:09:23-16:46:38 customername letsencrypt[26747]: I Create account: successfully created account
2021:09:23-16:48:02 customername letsencrypt[27359]: I Renew certificate: handling CSR REF_CaCsrLetsEncrySohpo for domain set [customername.dyndns.org]
2021:09:23-16:48:02 customername letsencrypt[27359]: I Renew certificate: running command: /var/storage/chroot-reverseproxy/usr/dehydrated/bin/dehydrated -x -f /var/storage/chroot-reverseproxy/usr/dehydrated/conf/config -c --accept-terms --domain customername.dyndns.org
2021:09:23-16:48:14 customername letsencrypt[27359]: I Renew certificate: command completed with exit code 256
2021:09:23-16:48:14 customername letsencrypt[27359]: E Renew certificate: COMMAND_FAILED: ERROR: Challenge is invalid! (returned: invalid) (result: {
2021:09:23-16:48:14 customername letsencrypt[27359]: E Renew certificate: COMMAND_FAILED: "type": "http-01",
2021:09:23-16:48:14 customername letsencrypt[27359]: E Renew certificate: COMMAND_FAILED: "status": "invalid",
2021:09:23-16:48:14 customername letsencrypt[27359]: E Renew certificate: COMMAND_FAILED: "error": {
2021:09:23-16:48:14 customername letsencrypt[27359]: E Renew certificate: COMMAND_FAILED: "type": "urn:ietf:params:acme:error:connection",
2021:09:23-16:48:14 customername letsencrypt[27359]: E Renew certificate: COMMAND_FAILED: "detail": "Fetching customername.dyndns.org/.../CFe1mDr1qvqnGLztmcREWi7HTUTZQT_ZxW3Jacqml00: Connection refused",
2021:09:23-16:48:14 customername letsencrypt[27359]: E Renew certificate: COMMAND_FAILED: "status": 400
2021:09:23-16:48:14 customername letsencrypt[27359]: E Renew certificate: COMMAND_FAILED: },
2021:09:23-16:48:14 customername letsencrypt[27359]: E Renew certificate: COMMAND_FAILED: "url": "">acme-v02.api.letsencrypt.org/.../sINksQ",
2021:09:23-16:48:14 customername letsencrypt[27359]: E Renew certificate: COMMAND_FAILED: "token": "CFe1mDr1qvqnGLztmcREWi7HTUTZQT_ZxW3Jacqml00",
2021:09:23-16:48:14 customername letsencrypt[27359]: E Renew certificate: COMMAND_FAILED: "validationRecord": [
2021:09:23-16:48:14 customername letsencrypt[27359]: E Renew certificate: COMMAND_FAILED: {
2021:09:23-16:48:14 customername letsencrypt[27359]: E Renew certificate: COMMAND_FAILED: "url": "">customername.dyndns.org/.../CFe1mDr1qvqnGLztmcREWi7HTUTZQT_ZxW3Jacqml00",
2021:09:23-16:48:14 customername letsencrypt[27359]: E Renew certificate: COMMAND_FAILED: "hostname": "customername.dyndns.org",
2021:09:23-16:48:14 customername letsencrypt[27359]: E Renew certificate: COMMAND_FAILED: "port": "80",
2021:09:23-16:48:14 customername letsencrypt[27359]: E Renew certificate: COMMAND_FAILED: "addressesResolved": [
2021:09:23-16:48:14 customername letsencrypt[27359]: E Renew certificate: COMMAND_FAILED: "178.196.3.29"
2021:09:23-16:48:14 customername letsencrypt[27359]: E Renew certificate: COMMAND_FAILED: ],
2021:09:23-16:48:14 customername letsencrypt[27359]: E Renew certificate: COMMAND_FAILED: "addressUsed": "178.196.3.29"
2021:09:23-16:48:14 customername letsencrypt[27359]: E Renew certificate: COMMAND_FAILED: }
2021:09:23-16:48:14 customername letsencrypt[27359]: E Renew certificate: COMMAND_FAILED: ],
2021:09:23-16:48:14 customername letsencrypt[27359]: E Renew certificate: COMMAND_FAILED: "validated": "2021-09-23T14:48:11Z"
2021:09:23-16:48:14 customername letsencrypt[27359]: E Renew certificate: COMMAND_FAILED: })
2021:09:23-16:48:14 customername letsencrypt[27359]: I Renew certificate: sending notification WARN-603
2021:09:23-16:48:14 customername letsencrypt[27359]: [WARN-603] Let's Encrypt certificate renewal failed accessing Let's Encrypt service
2021:09:23-16:48:14 customername letsencrypt[27359]: I Renew certificate: execution completed (CSRs renewed: 0, failed: 1)

Any ideas?



This thread was automatically locked due to age.
Parents
  • Let's Enc versucht die Domain customername.dyndns.org aufzulösen.

    Da dies nicht gelingt weil diese Domain nicht existiert kann auch kein Zert ausgstellt werden.

    Let's Enc. sucht immer nach gültigen DNS Einträgen, gibt es diese nicht kann auch nichts ausgestellt werden.

  • Kann ich so nicht bestätigen. Ich habe andere Sophos mit Let's Encrypt und dyndns problemlos im Einsatz. Macht auch Sinn; denn Let's Encrypt prüft ob der Name xxx.dyndns.org zur IP passt. Und die IP ist ja korrekt, existiert und antwortet da sie auf die Sophos zeigt.

Reply Children
  • Hallo Patrick and welcome to the UTM Community!

         2021:09:23-16:48:14 customername letsencrypt[27359]: E Renew certificate: COMMAND_FAILED: "port": "80",

    I had what appears to be the same letsencrypt problem with my home lab.   My ISP blocks inbound 80/443 connections since I have residential instead of business service.  Is this a home-use situation?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA