Sophos UTM 9.707-5 - Let’s Encrypt failed: Failed to retrieve the current Terms of Service link

Question

Hello, 
 I appear to be having issues trying to renew LE Certificates. This started a few days ago (when due for renewal) and initially I did come to this forum for answers and found that one post suggested to update to the latest UTM version. I'm now up to 9.707-5 but still have the same issue. 
 Patterns also up to date: 
 Current pattern version: 204063 Latest available pattern version: 204063 
 It appears to be related to being unable to find the TOS but all links it shows resolve fine. The certificates I have are used for UTM Management and WAF. 
 Looking at the logs I see the following after turning the service off and back on... 
 2021:10:10-09:15:14 utm letsencrypt[9881]: I Create account: creating new Let's Encrypt acccount
2021:10:10-09:15:15 utm letsencrypt[9881]: E Create account: Incorrect response code from ACME server: 500
2021:10:10-09:15:15 utm letsencrypt[9881]: E Create account: URL was: acme-v02.api.letsencrypt.org/directory 
2021:10:10-09:15:15 utm letsencrypt[9881]: E Create account: TOS_UNAVAILABLE: Failed to retrieve the current Terms of Service URL
2021:10:10-09:15:15 utm letsencrypt[9881]: E Create account: failed to create account Prior to that, an attempt at renewing: 2021:10:10-08:44:02 utm letsencrypt[1020]: E Renew certificate: Incorrect response code from ACME server: 500 2021:10:10-08:44:02 utm letsencrypt[1020]: E Renew certificate: URL was: acme-v02.api.letsencrypt.org/directory 2021:10:10-08:44:02 utm letsencrypt[1020]: I Renew certificate: handling CSR REF_CaCsrXXXXLetsEncry for domain set [DOMAINS] 2021:10:10-08:44:02 utm letsencrypt[1020]: E Renew certificate: TOS_UNAVAILABLE: Could not obtain the current version of the Let's Encrypt Terms of Service 2021:10:10-08:44:02 utm letsencrypt[1020]: I Renew certificate: sending notification WARN-603 2021:10:10-08:44:02 utm letsencrypt[1020]: [WARN-603] Let's Encrypt certificate renewal failed accessing Let's Encrypt service 2021:10:10-08:44:02 utm letsencrypt[1020]: I Renew certificate: execution failed The UTM has been rebooted, no change. I've turned off Web protection, no change... Any ideas appreciated. Thanks!

Sophos User5110 · Accepted Answer

For my UTM the following steps worked to renew the certificates again: 
 - Go to Webserver Protection &rarr; Certificate Management &rarr; Certificate Authority - Delete the ISRG X1-Root CA (so that only the current R3 certificate is present). - Renew the certificates. 
 This worked even for the subsequent certificate renewals. 
 What's still bugging me is that the root certificate is back in store after the first renewal. This means, a wrong X1 root CA is being sent to the clients (check with ssllabs.com/ssltest to verify). With a root certificate that is present, an untrusted certificate chain is supplied (in parallel to the valid one).

Stefan Weiss1 · Answer

Same error. Old URL Unavailable: This is what helped me. Seems to be Important to disable the Webfilter/Webproxy and reenable it again but i dont know the order as first or after the first apply of the LE apply button. Apply LE without selecting the the LE checkbox. After the red failure Text disappears set the LE checkbox active and apply. Shortly after this order LE was set again. It seems the first apply accepted the new EULA and with the second apply of the same button and the LE checkbox activates LE again. 
 The enbedded Link for the EULA first was from 2017 after the first apply push the EULA was from 2022 and the LE was able to activate.

Not easy to monitor when LE changed its eula and this deactivates the LE function of the Sophos without knowing it. Only was aknowledged by O365 Mail Bounce Messages and in subinformations for expired certificates.

Michael Henkes · Answer

There are 2 X1 CA certificates: 
 Correct Fingerprint : CA:BD:2A:79:A1:07:6A:31:F2:1D:25:36:35:CB:03:9D:43:29:A5:E8 Wrong Fingerprint : 93:3C:6D:DE:E9:5C:9C:41:A4:0F:9F:50:49:3D:82:BE:03:AD:87:BF 
 Download correct X1: https://letsencrypt.org/certificates/ or https://letsencrypt.org/certs/isrgrootx1.pem 
 Delete the 93:3C:... and add the CA:BD :.. manually under Certificate Management->Certificate Authority 
 The wrong X1 will reappear after a renew of a LetsEncrypt certificate. So you might have to check again after at least 2 month.

JasmineMaier · Answer

Dec. 6th 2021 still no solution from Sophos. 
 Proposed solution is NOT WORKING. 
 See below.

Michael Henkes · Answer

Had the same issue today, just delete the wrong X1 again (93:3C:6D:DE:E9:5C:9C:41:A4:0F:9F:50:49:3D:82:BE:03:AD:87:BF) and renew the certificate(s), worked for me an several UTMs (9.709 FW) 
 Be sure you manually added the correct X1 as described in ths thread

Willem Poort · Answer

For me it worked by forcing IPv4 
 wget -4 https:// acme-v02.api.letsencrypt.org/directory --no-check-certificate

Alejandro Sanchez · Answer

My case: 
 Sophos UTM version: 9.712-13 
 I already had this problem in the past. The correct X1 certificate was present, and let's encrypt was working fine. Today I couldn't renew some certificate and Let's Encrypt account was disabled. 
 Deleting the X1 certificate warned me about other certificate (the one which I use for WebAdmin). Only when I deleted this certificate also, Let's encrypt account was created again.

Kazaam · Answer

Hello 
 Try to disable IPv6, don't know why but it failed to resolve with it (and also from some websites with wget on ssh) 
 
 Here result, before selected with IPV6, after selected without IPv6 
 
 Cheers

Sophos UTM 9.707-5 - Let’s Encrypt failed: Failed to retrieve the current Terms of Service link

Top Replies