Sophos XG Firewall - License activation unavailable (error XG-00151). See KB-000043485 for the latest updates.
I appear to be having issues trying to renew LE Certificates. This started a few days ago (when due for renewal) and initially I did come to this forum for answers and found that one post suggested to update to the latest UTM version. I'm now up to 9.707-5 but still have the same issue.
Patterns also up to date:
Current pattern version: 204063Latest available pattern version: 204063
It appears to be related to being unable to find the TOS but all links it shows resolve fine. The certificates I have are used for UTM Management and WAF.
Looking at the logs I see the following after turning the service off and back on...
2021:10:10-09:15:14 utm letsencrypt: I Create account: creating new Let's Encrypt acccount
2021:10:10-09:15:15 utm letsencrypt: E Create account: Incorrect response code from ACME server: 500
2021:10:10-09:15:15 utm letsencrypt: E Create account: URL was: acme-v02.api.letsencrypt.org/directory
2021:10:10-09:15:15 utm letsencrypt: E Create account: TOS_UNAVAILABLE: Failed to retrieve the current Terms of Service URL
2021:10:10-09:15:15 utm letsencrypt: E Create account: failed to create accountPrior to that, an attempt at renewing:2021:10:10-08:44:02 utm letsencrypt: E Renew certificate: Incorrect response code from ACME server: 5002021:10:10-08:44:02 utm letsencrypt: E Renew certificate: URL was: acme-v02.api.letsencrypt.org/directory2021:10:10-08:44:02 utm letsencrypt: I Renew certificate: handling CSR REF_CaCsrXXXXLetsEncry for domain set [DOMAINS]2021:10:10-08:44:02 utm letsencrypt: E Renew certificate: TOS_UNAVAILABLE: Could not obtain the current version of the Let's Encrypt Terms of Service2021:10:10-08:44:02 utm letsencrypt: I Renew certificate: sending notification WARN-6032021:10:10-08:44:02 utm letsencrypt: [WARN-603] Let's Encrypt certificate renewal failed accessing Let's Encrypt service2021:10:10-08:44:02 utm letsencrypt: I Renew certificate: execution failedThe UTM has been rebooted, no change. I've turned off Web protection, no change...Any ideas appreciated.Thanks!
For my UTM the following steps worked to renew the certificates again:
- Go to Webserver Protection → Certificate Management → Certificate Authority- Delete the ISRG X1-Root CA (so that only…
- Go to Webserver Protection → Certificate Management → Certificate Authority- Delete the ISRG X1-Root CA (so that only the current R3 certificate is present).- Renew the certificates.
This worked even for the subsequent certificate renewals.
What's still bugging me is that the root certificate is back in store after the first renewal. This means, a wrong X1 root CA is being sent to the clients (check with ssllabs.com/ssltest to verify). With a root certificate that is present, an untrusted certificate chain is supplied (in parallel to the valid one).
The problem isn't with CA, but that you can't allow Let's Encrypt certificates.
It appears that the above suggestion worked. I manually deleted the Root CA's (I had a few linked to Lets Encrypt) and now I can enable the Account creation and was able to renew my certs.
Two new Root CAs were added back in (CA1 and CA2) to the store.
Thanks for the support.
The correct X1 CA is missing, there are 2 different ISRG Root X1
Even if the "wrong" one gets added again after a renew, it keeps working
The URL acme-v02.api.letsencrypt.org/directory is signed with the correct X1 and the UTM is missing it. Thats the root cause for the account not being created
Not sure why you are all still having a problem with this. My systems received CA:BD:2A:... on 30 September. All I had to do to get it in place was restart the proxy. Either disable/enable in WebAdmin or rune the following command as root:
Cheers - Bob