This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos UTM 9.707-5 - Let’s Encrypt failed: Failed to retrieve the current Terms of Service link

Hello, 

I appear to be having issues trying to renew LE Certificates. This started a few days ago (when due for renewal) and initially I did come to this forum for answers and found that one post suggested to update to the latest UTM version. I'm now up to 9.707-5 but still have the same issue. 

Patterns also up to date:

Current pattern version: 204063
Latest available pattern version: 204063

It appears to be related to being unable to find the TOS but all links it shows resolve fine. The certificates I have are used for UTM Management and WAF.

Looking at the logs I see the following after turning the service off and back on...

2021:10:10-09:15:14 utm letsencrypt[9881]: I Create account: creating new Let's Encrypt acccount
2021:10:10-09:15:15 utm letsencrypt[9881]: E Create account: Incorrect response code from ACME server: 500
2021:10:10-09:15:15 utm letsencrypt[9881]: E Create account: URL was: acme-v02.api.letsencrypt.org/directory
2021:10:10-09:15:15 utm letsencrypt[9881]: E Create account: TOS_UNAVAILABLE: Failed to retrieve the current Terms of Service URL
2021:10:10-09:15:15 utm letsencrypt[9881]: E Create account: failed to create account

Prior to that, an attempt at renewing:

2021:10:10-08:44:02 utm letsencrypt[1020]: E Renew certificate: Incorrect response code from ACME server: 500
2021:10:10-08:44:02 utm letsencrypt[1020]: E Renew certificate: URL was: acme-v02.api.letsencrypt.org/directory
2021:10:10-08:44:02 utm letsencrypt[1020]: I Renew certificate: handling CSR REF_CaCsrXXXXLetsEncry for domain set [DOMAINS]
2021:10:10-08:44:02 utm letsencrypt[1020]: E Renew certificate: TOS_UNAVAILABLE: Could not obtain the current version of the Let's Encrypt Terms of Service
2021:10:10-08:44:02 utm letsencrypt[1020]: I Renew certificate: sending notification WARN-603
2021:10:10-08:44:02 utm letsencrypt[1020]: [WARN-603] Let's Encrypt certificate renewal failed accessing Let's Encrypt service
2021:10:10-08:44:02 utm letsencrypt[1020]: I Renew certificate: execution failed

The UTM has been rebooted, no change. I've turned off Web protection, no change...

Any ideas appreciated.

Thanks!


This thread was automatically locked due to age.
Parents
  • There are 2 X1 CA certificates:

    Correct
    Fingerprint: CA:BD:2A:79:A1:07:6A:31:F2:1D:25:36:35:CB:03:9D:43:29:A5:E8

    Wrong
    Fingerprint: 93:3C:6D:DE:E9:5C:9C:41:A4:0F:9F:50:49:3D:82:BE:03:AD:87:BF

    Download correct X1: https://letsencrypt.org/certificates/ or https://letsencrypt.org/certs/isrgrootx1.pem

    Delete the 93:3C:... and add the CA:BD:.. manually under Certificate Management->Certificate Authority

    The wrong X1 will reappear after a renew of a LetsEncrypt certificate. So you might have to check again after at least 2 month.

  • > The wrong X1 will reappear after a renew of a LetsEncrypt certificate. So you might have to check again after at least 2 month.

    can you please elaborate that? Can Sophos give us official solution / patch for the issue?

    we have support case opened 04594640 

  • I'm waiting for a reply on this exact issue from support

  • I have the same Problem with same Version of UTM.

    On ssh i try this:

    wget https://acme-v02.api.letsencrypt.org/directory
    --2021-12-03 07:32:31--  https://acme-v02.api.letsencrypt.org/directory
    Resolving acme-v02.api.letsencrypt.org... 172.65.32.248, 2606:4700:60:0:f53d:5624:85c7:3a2c
    Connecting to acme-v02.api.letsencrypt.org|172.65.32.248|:443... connected.
    ERROR: cannot verify acme-v02.api.letsencrypt.org's certificate, issued by `/C=US/O=Let's Encrypt/CN=R3':
      unable to get issuer certificate
    To connect to acme-v02.api.letsencrypt.org insecurely, use `--no-check-certificate'.
    Unable to establish SSL connection.

    with parameter --no-check-certificate it is working.

    There are no X1 Cert available on my utm and also i trie to disable and enable Letsencrypt servie.

    Disable was no Problem and enable no luck:

    2021:12:03-07:18:02 fw-trzisp-02-1 letsencrypt[23893]: I Renew certificate: sending notification WARN-603
    2021:12:03-07:18:02 fw-trzisp-02-1 letsencrypt[23893]: [WARN-603] Let's Encrypt certificate renewal failed accessing Let's Encrypt service
    2021:12:03-07:18:02 fw-trzisp-02-1 letsencrypt[23893]: I Renew certificate: execution failed
    2021:12:03-07:25:02 fw-trzisp-02-1 letsencrypt[25004]: I CONFD: Account removed because Let's Encrypt was disabled by the user
    2021:12:03-07:25:03 fw-trzisp-02-2 letsencrypt[21796]: I CONFD: Account removed because Let's Encrypt was disabled by the user
    2021:12:03-07:25:48 fw-trzisp-02-1 letsencrypt[25102]: I Create account: creating new Let's Encrypt acccount
    2021:12:03-07:25:48 fw-trzisp-02-1 letsencrypt[25102]: E Create account: Incorrect response code from ACME server: 500
    2021:12:03-07:25:48 fw-trzisp-02-1 letsencrypt[25102]: E Create account: URL was: https://acme-v02.api.letsencrypt.org/directory
    2021:12:03-07:25:48 fw-trzisp-02-1 letsencrypt[25102]: E Create account: TOS_UNAVAILABLE: Failed to retrieve the current Terms of Service URL
    2021:12:03-07:25:48 fw-trzisp-02-1 letsencrypt[25102]: E Create account: failed to create account
    2021:12:03-07:31:19 fw-trzisp-02-1 letsencrypt[25990]: I Create account: creating new Let's Encrypt acccount
    2021:12:03-07:31:20 fw-trzisp-02-1 letsencrypt[25990]: E Create account: Incorrect response code from ACME server: 500
    2021:12:03-07:31:20 fw-trzisp-02-1 letsencrypt[25990]: E Create account: URL was: https://acme-v02.api.letsencrypt.org/directory
    2021:12:03-07:31:20 fw-trzisp-02-1 letsencrypt[25990]: E Create account: TOS_UNAVAILABLE: Failed to retrieve the current Terms of Service URL
    2021:12:03-07:31:20 fw-trzisp-02-1 letsencrypt[25990]: E Create account: failed to create account 

    So how can I solve the problem?

Reply Children