This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos UTM 9.707-5 - Let’s Encrypt failed: Failed to retrieve the current Terms of Service link

Hello, 

I appear to be having issues trying to renew LE Certificates. This started a few days ago (when due for renewal) and initially I did come to this forum for answers and found that one post suggested to update to the latest UTM version. I'm now up to 9.707-5 but still have the same issue. 

Patterns also up to date:

Current pattern version: 204063
Latest available pattern version: 204063

It appears to be related to being unable to find the TOS but all links it shows resolve fine. The certificates I have are used for UTM Management and WAF.

Looking at the logs I see the following after turning the service off and back on...

2021:10:10-09:15:14 utm letsencrypt[9881]: I Create account: creating new Let's Encrypt acccount
2021:10:10-09:15:15 utm letsencrypt[9881]: E Create account: Incorrect response code from ACME server: 500
2021:10:10-09:15:15 utm letsencrypt[9881]: E Create account: URL was: acme-v02.api.letsencrypt.org/directory
2021:10:10-09:15:15 utm letsencrypt[9881]: E Create account: TOS_UNAVAILABLE: Failed to retrieve the current Terms of Service URL
2021:10:10-09:15:15 utm letsencrypt[9881]: E Create account: failed to create account

Prior to that, an attempt at renewing:

2021:10:10-08:44:02 utm letsencrypt[1020]: E Renew certificate: Incorrect response code from ACME server: 500
2021:10:10-08:44:02 utm letsencrypt[1020]: E Renew certificate: URL was: acme-v02.api.letsencrypt.org/directory
2021:10:10-08:44:02 utm letsencrypt[1020]: I Renew certificate: handling CSR REF_CaCsrXXXXLetsEncry for domain set [DOMAINS]
2021:10:10-08:44:02 utm letsencrypt[1020]: E Renew certificate: TOS_UNAVAILABLE: Could not obtain the current version of the Let's Encrypt Terms of Service
2021:10:10-08:44:02 utm letsencrypt[1020]: I Renew certificate: sending notification WARN-603
2021:10:10-08:44:02 utm letsencrypt[1020]: [WARN-603] Let's Encrypt certificate renewal failed accessing Let's Encrypt service
2021:10:10-08:44:02 utm letsencrypt[1020]: I Renew certificate: execution failed

The UTM has been rebooted, no change. I've turned off Web protection, no change...

Any ideas appreciated.

Thanks!


This thread was automatically locked due to age.
Parents
  • There are 2 X1 CA certificates:

    Correct
    Fingerprint: CA:BD:2A:79:A1:07:6A:31:F2:1D:25:36:35:CB:03:9D:43:29:A5:E8

    Wrong
    Fingerprint: 93:3C:6D:DE:E9:5C:9C:41:A4:0F:9F:50:49:3D:82:BE:03:AD:87:BF

    Download correct X1: https://letsencrypt.org/certificates/ or https://letsencrypt.org/certs/isrgrootx1.pem

    Delete the 93:3C:... and add the CA:BD:.. manually under Certificate Management->Certificate Authority

    The wrong X1 will reappear after a renew of a LetsEncrypt certificate. So you might have to check again after at least 2 month.

  • Did that doesn't work. I don't have any external CAs listed under Certificate Management->Certificate Authority, so I downloaded the one you mentioned and imported it. Unfortunately I'm still unable to enable Let's Encrypt:

    2021:11:10-18:14:22 firewall letsencrypt[13087]: I Create account: creating new Let's Encrypt acccount
    2021:11:10-18:14:23 firewall letsencrypt[13087]: E Create account: Incorrect response code from ACME server: 500
    2021:11:10-18:14:23 firewall letsencrypt[13087]: E Create account: URL was: acme-v02.api.letsencrypt.org/directory
    2021:11:10-18:14:23 firewall letsencrypt[13087]: E Create account: TOS_UNAVAILABLE: Failed to retrieve the current Terms of Service URL
    2021:11:10-18:14:23 firewall letsencrypt[13087]: E Create account: failed to create account
  • I'm afraid i can´t help you without access to the UTM then.

    You might try your luck with sophos support then

Reply Children
No Data