Sophos UTM 9.707-5 - Let’s Encrypt failed: Failed to retrieve the current Terms of Service link

Hello, 

I appear to be having issues trying to renew LE Certificates. This started a few days ago (when due for renewal) and initially I did come to this forum for answers and found that one post suggested to update to the latest UTM version. I'm now up to 9.707-5 but still have the same issue. 

Patterns also up to date:

Current pattern version: 204063
Latest available pattern version: 204063

It appears to be related to being unable to find the TOS but all links it shows resolve fine. The certificates I have are used for UTM Management and WAF.

Looking at the logs I see the following after turning the service off and back on...

2021:10:10-09:15:14 utm letsencrypt[9881]: I Create account: creating new Let's Encrypt acccount
2021:10:10-09:15:15 utm letsencrypt[9881]: E Create account: Incorrect response code from ACME server: 500
2021:10:10-09:15:15 utm letsencrypt[9881]: E Create account: URL was: acme-v02.api.letsencrypt.org/directory
2021:10:10-09:15:15 utm letsencrypt[9881]: E Create account: TOS_UNAVAILABLE: Failed to retrieve the current Terms of Service URL
2021:10:10-09:15:15 utm letsencrypt[9881]: E Create account: failed to create account

Prior to that, an attempt at renewing:

2021:10:10-08:44:02 utm letsencrypt[1020]: E Renew certificate: Incorrect response code from ACME server: 500
2021:10:10-08:44:02 utm letsencrypt[1020]: E Renew certificate: URL was: acme-v02.api.letsencrypt.org/directory
2021:10:10-08:44:02 utm letsencrypt[1020]: I Renew certificate: handling CSR REF_CaCsrXXXXLetsEncry for domain set [DOMAINS]
2021:10:10-08:44:02 utm letsencrypt[1020]: E Renew certificate: TOS_UNAVAILABLE: Could not obtain the current version of the Let's Encrypt Terms of Service
2021:10:10-08:44:02 utm letsencrypt[1020]: I Renew certificate: sending notification WARN-603
2021:10:10-08:44:02 utm letsencrypt[1020]: [WARN-603] Let's Encrypt certificate renewal failed accessing Let's Encrypt service
2021:10:10-08:44:02 utm letsencrypt[1020]: I Renew certificate: execution failed

The UTM has been rebooted, no change. I've turned off Web protection, no change...

Any ideas appreciated.

Thanks!
Parents
  • For my UTM the following steps worked to renew the certificates again:

    - Go to Webserver Protection → Certificate Management → Certificate Authority
    - Delete the ISRG X1-Root CA (so that only the current R3 certificate is present).
    - Renew the certificates.

    This worked even for the subsequent certificate renewals.

    What's still bugging me is that the root certificate is back in store after the first renewal. This means, a wrong X1 root CA is being sent to the clients (check with ssllabs.com/ssltest to verify). With a root certificate that is present, an untrusted certificate chain is supplied (in parallel to the valid one).

  • The problem isn't with CA, but that you can't allow Let's Encrypt certificates.

    2021:10:12-14:05:56 letsencrypt[2400]: I Create account: creating new Let's Encrypt acccount
    2021:10:12-14:05:57 letsencrypt[2400]: E Create account: Incorrect response code from ACME server: 500
    2021:10:12-14:05:57 letsencrypt[2400]: E Create account: URL was: acme-v02.api.letsencrypt.org/directory
    2021:10:12-14:05:57 letsencrypt[2400]: E Create account: TOS_UNAVAILABLE: Failed to retrieve the current Terms of Service URL
    2021:10:12-14:05:59 letsencrypt[2400]: E Create account: failed to create account
  • It appears that the above suggestion worked. I manually deleted the Root CA's (I had a few linked to Lets Encrypt) and now I can enable the Account creation and was able to renew my certs. 

    Two new Root CAs were added back in (CA1 and CA2) to the store.

    Thanks for the support.

Reply Children
No Data