3CX DLL-Sideloading attack: What you need to know
Hello,
I appear to be having issues trying to renew LE Certificates. This started a few days ago (when due for renewal) and initially I did come to this forum for answers and found that one post suggested to update to the latest UTM version. I'm now up to 9.707-5 but still have the same issue.
Patterns also up to date:
Current pattern version: 204063Latest available pattern version: 204063
It appears to be related to being unable to find the TOS but all links it shows resolve fine. The certificates I have are used for UTM Management and WAF.
Looking at the logs I see the following after turning the service off and back on...
2021:10:10-09:15:14 utm letsencrypt[9881]: I Create account: creating new Let's Encrypt acccount 2021:10:10-09:15:15 utm letsencrypt[9881]: E Create account: Incorrect response code from ACME server: 500 2021:10:10-09:15:15 utm letsencrypt[9881]: E Create account: URL was: acme-v02.api.letsencrypt.org/directory 2021:10:10-09:15:15 utm letsencrypt[9881]: E Create account: TOS_UNAVAILABLE: Failed to retrieve the current Terms of Service URL 2021:10:10-09:15:15 utm letsencrypt[9881]: E Create account: failed to create accountPrior to that, an attempt at renewing:2021:10:10-08:44:02 utm letsencrypt[1020]: E Renew certificate: Incorrect response code from ACME server: 5002021:10:10-08:44:02 utm letsencrypt[1020]: E Renew certificate: URL was: acme-v02.api.letsencrypt.org/directory2021:10:10-08:44:02 utm letsencrypt[1020]: I Renew certificate: handling CSR REF_CaCsrXXXXLetsEncry for domain set [DOMAINS]2021:10:10-08:44:02 utm letsencrypt[1020]: E Renew certificate: TOS_UNAVAILABLE: Could not obtain the current version of the Let's Encrypt Terms of Service2021:10:10-08:44:02 utm letsencrypt[1020]: I Renew certificate: sending notification WARN-6032021:10:10-08:44:02 utm letsencrypt[1020]: [WARN-603] Let's Encrypt certificate renewal failed accessing Let's Encrypt service2021:10:10-08:44:02 utm letsencrypt[1020]: I Renew certificate: execution failedThe UTM has been rebooted, no change. I've turned off Web protection, no change...Any ideas appreciated.Thanks!
There is an advisory about the certificates at the top of the UTM page.
XG 19.5 GA 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz 16GB Memory | 500GB SSD HDD | GB Ethernet x5
I have the same issue.My UTM has already received CA Data bundle but I cannot renew Let's Encrypt certificate.
For my UTM the following steps worked to renew the certificates again:
- Go to Webserver Protection → Certificate Management → Certificate Authority- Delete the ISRG X1-Root CA (so that only the current R3 certificate is present).- Renew the certificates.
This worked even for the subsequent certificate renewals.
What's still bugging me is that the root certificate is back in store after the first renewal. This means, a wrong X1 root CA is being sent to the clients (check with ssllabs.com/ssltest to verify). With a root certificate that is present, an untrusted certificate chain is supplied (in parallel to the valid one).
The problem isn't with CA, but that you can't allow Let's Encrypt certificates.
It appears that the above suggestion worked. I manually deleted the Root CA's (I had a few linked to Lets Encrypt) and now I can enable the Account creation and was able to renew my certs.
Two new Root CAs were added back in (CA1 and CA2) to the store.
Thanks for the support.
The correct X1 CA is missing, there are 2 different ISRG Root X1
Delete:93:3C:6D:DE:E9:5C:9C:41:A4:0F:9F:50:49:3D:82:BE:03:AD:87:BF
Add:CA:BD:2A:79:A1:07:6A:31:F2:1D:25:36:35:CB:03:9D:43:29:A5:E8
Even if the "wrong" one gets added again after a renew, it keeps working
The URL acme-v02.api.letsencrypt.org/directory is signed with the correct X1 and the UTM is missing it. Thats the root cause for the account not being created
Not sure why you are all still having a problem with this. My systems received CA:BD:2A:... on 30 September. All I had to do to get it in place was restart the proxy. Either disable/enable in WebAdmin or run the following command as root:
/var/mdw/scripts/httpproxy restart
Cheers - Bob
this doesn't help.
I deleted isrg x1 root ca, before that I disabled let's encrypt and can't enable it again.
2021:11:04-16:15:24 FW letsencrypt[2149]: E Create account: TOS_UNAVAILABLE: Failed to retrieve the current Terms of Service URL2021:11:04-16:15:24 FW letsencrypt[2149]: E Create account: failed to create account2021:11:04-16:20:17 FW letsencrypt[3745]: I Create account: creating new Let's Encrypt acccount2021:11:04-16:20:18 FW letsencrypt[3745]: E Create account: Incorrect response code from ACME server: 5002021:11:04-16:20:18 FW letsencrypt[3745]: E Create account: URL was: acme-v02.api.letsencrypt.org/directory2021:11:04-16:20:18 FW letsencrypt[3745]: E Create account: TOS_UNAVAILABLE: Failed to retrieve the current Terms of Service URL2021:11:04-16:20:19 FW letsencrypt[3745]: E Create account: failed to create account2021:11:04-16:22:25 FW letsencrypt[14654]: I Create account: creating new Let's Encrypt acccount2021:11:04-16:22:27 FW letsencrypt[14654]: E Create account: Incorrect response code from ACME server: 5002021:11:04-16:22:27 FW letsencrypt[14654]: E Create account: URL was: acme-v02.api.letsencrypt.org/directory2021:11:04-16:22:27 FW letsencrypt[14654]: E Create account: TOS_UNAVAILABLE: Failed to retrieve the current Terms of Service URL2021:11:04-16:22:27 FW letsencrypt[14654]: E Create account: failed to create account
Hi Michael.,
I've downloaded x1 and have correct fingerprint.
can enable let's encrypt (after disabling it)
any idea ?
got this 2021:11:04-16:15:24 FW letsencrypt[2149]: E Create account: TOS_UNAVAILABLE: Failed to retrieve the current Terms of Service URL2021:11:04-16:15:24 FW letsencrypt[2149]: E Create account: failed to create account2021:11:04-16:20:17 FW letsencrypt[3745]: I Create account: creating new Let's Encrypt acccount2021:11:04-16:20:18 FW letsencrypt[3745]: E Create account: Incorrect response code from ACME server: 5002021:11:04-16:20:18 FW letsencrypt[3745]: E Create account: URL was: acme-v02.api.letsencrypt.org/directory2021:11:04-16:20:18 FW letsencrypt[3745]: E Create account: TOS_UNAVAILABLE: Failed to retrieve the current Terms of Service URL2021:11:04-16:20:19 FW letsencrypt[3745]: E Create account: failed to create account2021:11:04-16:22:25 FW letsencrypt[14654]: I Create account: creating new Let's Encrypt acccount2021:11:04-16:22:27 FW letsencrypt[14654]: E Create account: Incorrect response code from ACME server: 5002021:11:04-16:22:27 FW letsencrypt[14654]: E Create account: URL was: acme-v02.api.letsencrypt.org/directory2021:11:04-16:22:27 FW letsencrypt[14654]: E Create account: TOS_UNAVAILABLE: Failed to retrieve the current Terms of Service URL2021:11:04-16:22:27 FW letsencrypt[14654]: E Create account: failed to create account
Hi , were you able to solve this? Totally sucks, i can't enable let's encrypt, i deleted that x1 root cert, there are no clear instructions what to do, @sophos ??