This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos UTM 9.707-5 - Let’s Encrypt failed: Failed to retrieve the current Terms of Service link

Hello, 

I appear to be having issues trying to renew LE Certificates. This started a few days ago (when due for renewal) and initially I did come to this forum for answers and found that one post suggested to update to the latest UTM version. I'm now up to 9.707-5 but still have the same issue. 

Patterns also up to date:

Current pattern version: 204063
Latest available pattern version: 204063

It appears to be related to being unable to find the TOS but all links it shows resolve fine. The certificates I have are used for UTM Management and WAF.

Looking at the logs I see the following after turning the service off and back on...

2021:10:10-09:15:14 utm letsencrypt[9881]: I Create account: creating new Let's Encrypt acccount
2021:10:10-09:15:15 utm letsencrypt[9881]: E Create account: Incorrect response code from ACME server: 500
2021:10:10-09:15:15 utm letsencrypt[9881]: E Create account: URL was: acme-v02.api.letsencrypt.org/directory
2021:10:10-09:15:15 utm letsencrypt[9881]: E Create account: TOS_UNAVAILABLE: Failed to retrieve the current Terms of Service URL
2021:10:10-09:15:15 utm letsencrypt[9881]: E Create account: failed to create account

Prior to that, an attempt at renewing:

2021:10:10-08:44:02 utm letsencrypt[1020]: E Renew certificate: Incorrect response code from ACME server: 500
2021:10:10-08:44:02 utm letsencrypt[1020]: E Renew certificate: URL was: acme-v02.api.letsencrypt.org/directory
2021:10:10-08:44:02 utm letsencrypt[1020]: I Renew certificate: handling CSR REF_CaCsrXXXXLetsEncry for domain set [DOMAINS]
2021:10:10-08:44:02 utm letsencrypt[1020]: E Renew certificate: TOS_UNAVAILABLE: Could not obtain the current version of the Let's Encrypt Terms of Service
2021:10:10-08:44:02 utm letsencrypt[1020]: I Renew certificate: sending notification WARN-603
2021:10:10-08:44:02 utm letsencrypt[1020]: [WARN-603] Let's Encrypt certificate renewal failed accessing Let's Encrypt service
2021:10:10-08:44:02 utm letsencrypt[1020]: I Renew certificate: execution failed

The UTM has been rebooted, no change. I've turned off Web protection, no change...

Any ideas appreciated.

Thanks!


This thread was automatically locked due to age.
  • There is an advisory about the certificates at the top of the UTM page.

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • I have the same issue.
    My UTM has already received CA Data bundle but I cannot renew Let's Encrypt certificate.

  • For my UTM the following steps worked to renew the certificates again:

    - Go to Webserver Protection → Certificate Management → Certificate Authority
    - Delete the ISRG X1-Root CA (so that only the current R3 certificate is present).
    - Renew the certificates.

    This worked even for the subsequent certificate renewals.

    What's still bugging me is that the root certificate is back in store after the first renewal. This means, a wrong X1 root CA is being sent to the clients (check with ssllabs.com/ssltest to verify). With a root certificate that is present, an untrusted certificate chain is supplied (in parallel to the valid one).

  • The problem isn't with CA, but that you can't allow Let's Encrypt certificates.

    2021:10:12-14:05:56 letsencrypt[2400]: I Create account: creating new Let's Encrypt acccount
    2021:10:12-14:05:57 letsencrypt[2400]: E Create account: Incorrect response code from ACME server: 500
    2021:10:12-14:05:57 letsencrypt[2400]: E Create account: URL was: acme-v02.api.letsencrypt.org/directory
    2021:10:12-14:05:57 letsencrypt[2400]: E Create account: TOS_UNAVAILABLE: Failed to retrieve the current Terms of Service URL
    2021:10:12-14:05:59 letsencrypt[2400]: E Create account: failed to create account
  • It appears that the above suggestion worked. I manually deleted the Root CA's (I had a few linked to Lets Encrypt) and now I can enable the Account creation and was able to renew my certs. 

    Two new Root CAs were added back in (CA1 and CA2) to the store.

    Thanks for the support.

  • The correct X1 CA is missing, there are 2 different ISRG Root X1

    Delete:93:­3C:­6D:­DE:­E9:­5C:­9C:­41:­A4:­0F:­9F:­50:­49:­3D:­82:­BE:­03:­AD:­87:­BF

    Add:CA:­BD:­2A:­79:­A1:­07:­6A:­31:­F2:­1D:­25:­36:­35:­CB:­03:­9D:­43:­29:­A5:­E8

    Even if the "wrong" one gets added again after a renew, it keeps working

    The URL acme-v02.api.letsencrypt.org/directory is signed with the correct X1 and the UTM is missing it. Thats the root cause for the account not being created

  • Not sure why you are all still having a problem with this.  My systems received CA:­BD:­2A:­... on 30 September.  All I had to do to get it in place was restart the proxy.  Either disable/enable in WebAdmin or run the following command as root:

         /var/mdw/scripts/httpproxy restart

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • this doesn't help.

    I deleted isrg x1  root ca, before that I disabled let's encrypt and can't enable it again.


    2021:11:04-16:15:24 FW letsencrypt[2149]: E Create account: TOS_UNAVAILABLE: Failed to retrieve the current Terms of Service URL
    2021:11:04-16:15:24 FW letsencrypt[2149]: E Create account: failed to create account
    2021:11:04-16:20:17 FW letsencrypt[3745]: I Create account: creating new Let's Encrypt acccount
    2021:11:04-16:20:18 FW letsencrypt[3745]: E Create account: Incorrect response code from ACME server: 500
    2021:11:04-16:20:18 FW letsencrypt[3745]: E Create account: URL was: acme-v02.api.letsencrypt.org/directory
    2021:11:04-16:20:18 FW letsencrypt[3745]: E Create account: TOS_UNAVAILABLE: Failed to retrieve the current Terms of Service URL
    2021:11:04-16:20:19 FW letsencrypt[3745]: E Create account: failed to create account
    2021:11:04-16:22:25 FW letsencrypt[14654]: I Create account: creating new Let's Encrypt acccount
    2021:11:04-16:22:27 FW letsencrypt[14654]: E Create account: Incorrect response code from ACME server: 500
    2021:11:04-16:22:27 FW letsencrypt[14654]: E Create account: URL was: acme-v02.api.letsencrypt.org/directory
    2021:11:04-16:22:27 FW letsencrypt[14654]: E Create account: TOS_UNAVAILABLE: Failed to retrieve the current Terms of Service URL
    2021:11:04-16:22:27 FW letsencrypt[14654]: E Create account: failed to create account

  • Hi Michael.,

    I've downloaded x1 and have correct fingerprint.

    can enable let's encrypt (after disabling it)

    any idea ?

    got this 


    2021:11:04-16:15:24 FW letsencrypt[2149]: E Create account: TOS_UNAVAILABLE: Failed to retrieve the current Terms of Service URL
    2021:11:04-16:15:24 FW letsencrypt[2149]: E Create account: failed to create account
    2021:11:04-16:20:17 FW letsencrypt[3745]: I Create account: creating new Let's Encrypt acccount
    2021:11:04-16:20:18 FW letsencrypt[3745]: E Create account: Incorrect response code from ACME server: 500
    2021:11:04-16:20:18 FW letsencrypt[3745]: E Create account: URL was: acme-v02.api.letsencrypt.org/directory
    2021:11:04-16:20:18 FW letsencrypt[3745]: E Create account: TOS_UNAVAILABLE: Failed to retrieve the current Terms of Service URL
    2021:11:04-16:20:19 FW letsencrypt[3745]: E Create account: failed to create account
    2021:11:04-16:22:25 FW letsencrypt[14654]: I Create account: creating new Let's Encrypt acccount
    2021:11:04-16:22:27 FW letsencrypt[14654]: E Create account: Incorrect response code from ACME server: 500
    2021:11:04-16:22:27 FW letsencrypt[14654]: E Create account: URL was: acme-v02.api.letsencrypt.org/directory
    2021:11:04-16:22:27 FW letsencrypt[14654]: E Create account: TOS_UNAVAILABLE: Failed to retrieve the current Terms of Service URL
    2021:11:04-16:22:27 FW letsencrypt[14654]: E Create account: failed to create account

  • Hi , were you able to solve this? Totally sucks, i can't enable let's encrypt, i deleted that x1 root cert, there are no clear instructions what to do, @sophos ??