Sophos UTM 9.707-5 - Let’s Encrypt failed: Failed to retrieve the current Terms of Service link

Hello, 

I appear to be having issues trying to renew LE Certificates. This started a few days ago (when due for renewal) and initially I did come to this forum for answers and found that one post suggested to update to the latest UTM version. I'm now up to 9.707-5 but still have the same issue. 

Patterns also up to date:

Current pattern version: 204063
Latest available pattern version: 204063

It appears to be related to being unable to find the TOS but all links it shows resolve fine. The certificates I have are used for UTM Management and WAF.

Looking at the logs I see the following after turning the service off and back on...

2021:10:10-09:15:14 utm letsencrypt[9881]: I Create account: creating new Let's Encrypt acccount
2021:10:10-09:15:15 utm letsencrypt[9881]: E Create account: Incorrect response code from ACME server: 500
2021:10:10-09:15:15 utm letsencrypt[9881]: E Create account: URL was: acme-v02.api.letsencrypt.org/directory
2021:10:10-09:15:15 utm letsencrypt[9881]: E Create account: TOS_UNAVAILABLE: Failed to retrieve the current Terms of Service URL
2021:10:10-09:15:15 utm letsencrypt[9881]: E Create account: failed to create account

Prior to that, an attempt at renewing:

2021:10:10-08:44:02 utm letsencrypt[1020]: E Renew certificate: Incorrect response code from ACME server: 500
2021:10:10-08:44:02 utm letsencrypt[1020]: E Renew certificate: URL was: acme-v02.api.letsencrypt.org/directory
2021:10:10-08:44:02 utm letsencrypt[1020]: I Renew certificate: handling CSR REF_CaCsrXXXXLetsEncry for domain set [DOMAINS]
2021:10:10-08:44:02 utm letsencrypt[1020]: E Renew certificate: TOS_UNAVAILABLE: Could not obtain the current version of the Let's Encrypt Terms of Service
2021:10:10-08:44:02 utm letsencrypt[1020]: I Renew certificate: sending notification WARN-603
2021:10:10-08:44:02 utm letsencrypt[1020]: [WARN-603] Let's Encrypt certificate renewal failed accessing Let's Encrypt service
2021:10:10-08:44:02 utm letsencrypt[1020]: I Renew certificate: execution failed

The UTM has been rebooted, no change. I've turned off Web protection, no change...

Any ideas appreciated.

Thanks!
Parents
  • For my UTM the following steps worked to renew the certificates again:

    - Go to Webserver Protection → Certificate Management → Certificate Authority
    - Delete the ISRG X1-Root CA (so that only the current R3 certificate is present).
    - Renew the certificates.

    This worked even for the subsequent certificate renewals.

    What's still bugging me is that the root certificate is back in store after the first renewal. This means, a wrong X1 root CA is being sent to the clients (check with ssllabs.com/ssltest to verify). With a root certificate that is present, an untrusted certificate chain is supplied (in parallel to the valid one).

  • this doesn't help.

    I deleted isrg x1  root ca, before that I disabled let's encrypt and can't enable it again.


    2021:11:04-16:15:24 FW letsencrypt[2149]: E Create account: TOS_UNAVAILABLE: Failed to retrieve the current Terms of Service URL
    2021:11:04-16:15:24 FW letsencrypt[2149]: E Create account: failed to create account
    2021:11:04-16:20:17 FW letsencrypt[3745]: I Create account: creating new Let's Encrypt acccount
    2021:11:04-16:20:18 FW letsencrypt[3745]: E Create account: Incorrect response code from ACME server: 500
    2021:11:04-16:20:18 FW letsencrypt[3745]: E Create account: URL was: acme-v02.api.letsencrypt.org/directory
    2021:11:04-16:20:18 FW letsencrypt[3745]: E Create account: TOS_UNAVAILABLE: Failed to retrieve the current Terms of Service URL
    2021:11:04-16:20:19 FW letsencrypt[3745]: E Create account: failed to create account
    2021:11:04-16:22:25 FW letsencrypt[14654]: I Create account: creating new Let's Encrypt acccount
    2021:11:04-16:22:27 FW letsencrypt[14654]: E Create account: Incorrect response code from ACME server: 500
    2021:11:04-16:22:27 FW letsencrypt[14654]: E Create account: URL was: acme-v02.api.letsencrypt.org/directory
    2021:11:04-16:22:27 FW letsencrypt[14654]: E Create account: TOS_UNAVAILABLE: Failed to retrieve the current Terms of Service URL
    2021:11:04-16:22:27 FW letsencrypt[14654]: E Create account: failed to create account

Reply
  • this doesn't help.

    I deleted isrg x1  root ca, before that I disabled let's encrypt and can't enable it again.


    2021:11:04-16:15:24 FW letsencrypt[2149]: E Create account: TOS_UNAVAILABLE: Failed to retrieve the current Terms of Service URL
    2021:11:04-16:15:24 FW letsencrypt[2149]: E Create account: failed to create account
    2021:11:04-16:20:17 FW letsencrypt[3745]: I Create account: creating new Let's Encrypt acccount
    2021:11:04-16:20:18 FW letsencrypt[3745]: E Create account: Incorrect response code from ACME server: 500
    2021:11:04-16:20:18 FW letsencrypt[3745]: E Create account: URL was: acme-v02.api.letsencrypt.org/directory
    2021:11:04-16:20:18 FW letsencrypt[3745]: E Create account: TOS_UNAVAILABLE: Failed to retrieve the current Terms of Service URL
    2021:11:04-16:20:19 FW letsencrypt[3745]: E Create account: failed to create account
    2021:11:04-16:22:25 FW letsencrypt[14654]: I Create account: creating new Let's Encrypt acccount
    2021:11:04-16:22:27 FW letsencrypt[14654]: E Create account: Incorrect response code from ACME server: 500
    2021:11:04-16:22:27 FW letsencrypt[14654]: E Create account: URL was: acme-v02.api.letsencrypt.org/directory
    2021:11:04-16:22:27 FW letsencrypt[14654]: E Create account: TOS_UNAVAILABLE: Failed to retrieve the current Terms of Service URL
    2021:11:04-16:22:27 FW letsencrypt[14654]: E Create account: failed to create account

Children