This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos UTM 9.707-5 - Let’s Encrypt failed: Failed to retrieve the current Terms of Service link

Hello, 

I appear to be having issues trying to renew LE Certificates. This started a few days ago (when due for renewal) and initially I did come to this forum for answers and found that one post suggested to update to the latest UTM version. I'm now up to 9.707-5 but still have the same issue. 

Patterns also up to date:

Current pattern version: 204063
Latest available pattern version: 204063

It appears to be related to being unable to find the TOS but all links it shows resolve fine. The certificates I have are used for UTM Management and WAF.

Looking at the logs I see the following after turning the service off and back on...

2021:10:10-09:15:14 utm letsencrypt[9881]: I Create account: creating new Let's Encrypt acccount
2021:10:10-09:15:15 utm letsencrypt[9881]: E Create account: Incorrect response code from ACME server: 500
2021:10:10-09:15:15 utm letsencrypt[9881]: E Create account: URL was: acme-v02.api.letsencrypt.org/directory
2021:10:10-09:15:15 utm letsencrypt[9881]: E Create account: TOS_UNAVAILABLE: Failed to retrieve the current Terms of Service URL
2021:10:10-09:15:15 utm letsencrypt[9881]: E Create account: failed to create account

Prior to that, an attempt at renewing:

2021:10:10-08:44:02 utm letsencrypt[1020]: E Renew certificate: Incorrect response code from ACME server: 500
2021:10:10-08:44:02 utm letsencrypt[1020]: E Renew certificate: URL was: acme-v02.api.letsencrypt.org/directory
2021:10:10-08:44:02 utm letsencrypt[1020]: I Renew certificate: handling CSR REF_CaCsrXXXXLetsEncry for domain set [DOMAINS]
2021:10:10-08:44:02 utm letsencrypt[1020]: E Renew certificate: TOS_UNAVAILABLE: Could not obtain the current version of the Let's Encrypt Terms of Service
2021:10:10-08:44:02 utm letsencrypt[1020]: I Renew certificate: sending notification WARN-603
2021:10:10-08:44:02 utm letsencrypt[1020]: [WARN-603] Let's Encrypt certificate renewal failed accessing Let's Encrypt service
2021:10:10-08:44:02 utm letsencrypt[1020]: I Renew certificate: execution failed

The UTM has been rebooted, no change. I've turned off Web protection, no change...

Any ideas appreciated.

Thanks!


This thread was automatically locked due to age.
Parents
  • There are 2 X1 CA certificates:

    Correct
    Fingerprint: CA:BD:2A:79:A1:07:6A:31:F2:1D:25:36:35:CB:03:9D:43:29:A5:E8

    Wrong
    Fingerprint: 93:3C:6D:DE:E9:5C:9C:41:A4:0F:9F:50:49:3D:82:BE:03:AD:87:BF

    Download correct X1: https://letsencrypt.org/certificates/ or https://letsencrypt.org/certs/isrgrootx1.pem

    Delete the 93:3C:... and add the CA:BD:.. manually under Certificate Management->Certificate Authority

    The wrong X1 will reappear after a renew of a LetsEncrypt certificate. So you might have to check again after at least 2 month.

  • > The wrong X1 will reappear after a renew of a LetsEncrypt certificate. So you might have to check again after at least 2 month.

    can you please elaborate that? Can Sophos give us official solution / patch for the issue?

    we have support case opened 04594640 

  • I'm waiting for a reply on this exact issue from support

  • I have the same Problem with same Version of UTM.

    On ssh i try this:

    wget https://acme-v02.api.letsencrypt.org/directory
    --2021-12-03 07:32:31--  https://acme-v02.api.letsencrypt.org/directory
    Resolving acme-v02.api.letsencrypt.org... 172.65.32.248, 2606:4700:60:0:f53d:5624:85c7:3a2c
    Connecting to acme-v02.api.letsencrypt.org|172.65.32.248|:443... connected.
    ERROR: cannot verify acme-v02.api.letsencrypt.org's certificate, issued by `/C=US/O=Let's Encrypt/CN=R3':
      unable to get issuer certificate
    To connect to acme-v02.api.letsencrypt.org insecurely, use `--no-check-certificate'.
    Unable to establish SSL connection.

    with parameter --no-check-certificate it is working.

    There are no X1 Cert available on my utm and also i trie to disable and enable Letsencrypt servie.

    Disable was no Problem and enable no luck:

    2021:12:03-07:18:02 fw-trzisp-02-1 letsencrypt[23893]: I Renew certificate: sending notification WARN-603
    2021:12:03-07:18:02 fw-trzisp-02-1 letsencrypt[23893]: [WARN-603] Let's Encrypt certificate renewal failed accessing Let's Encrypt service
    2021:12:03-07:18:02 fw-trzisp-02-1 letsencrypt[23893]: I Renew certificate: execution failed
    2021:12:03-07:25:02 fw-trzisp-02-1 letsencrypt[25004]: I CONFD: Account removed because Let's Encrypt was disabled by the user
    2021:12:03-07:25:03 fw-trzisp-02-2 letsencrypt[21796]: I CONFD: Account removed because Let's Encrypt was disabled by the user
    2021:12:03-07:25:48 fw-trzisp-02-1 letsencrypt[25102]: I Create account: creating new Let's Encrypt acccount
    2021:12:03-07:25:48 fw-trzisp-02-1 letsencrypt[25102]: E Create account: Incorrect response code from ACME server: 500
    2021:12:03-07:25:48 fw-trzisp-02-1 letsencrypt[25102]: E Create account: URL was: https://acme-v02.api.letsencrypt.org/directory
    2021:12:03-07:25:48 fw-trzisp-02-1 letsencrypt[25102]: E Create account: TOS_UNAVAILABLE: Failed to retrieve the current Terms of Service URL
    2021:12:03-07:25:48 fw-trzisp-02-1 letsencrypt[25102]: E Create account: failed to create account
    2021:12:03-07:31:19 fw-trzisp-02-1 letsencrypt[25990]: I Create account: creating new Let's Encrypt acccount
    2021:12:03-07:31:20 fw-trzisp-02-1 letsencrypt[25990]: E Create account: Incorrect response code from ACME server: 500
    2021:12:03-07:31:20 fw-trzisp-02-1 letsencrypt[25990]: E Create account: URL was: https://acme-v02.api.letsencrypt.org/directory
    2021:12:03-07:31:20 fw-trzisp-02-1 letsencrypt[25990]: E Create account: TOS_UNAVAILABLE: Failed to retrieve the current Terms of Service URL
    2021:12:03-07:31:20 fw-trzisp-02-1 letsencrypt[25990]: E Create account: failed to create account 

    So how can I solve the problem?

  • Thank you Henrik for your replay.

    That one has not solved my problem, still can't get activationg or download via wget from the site for testing.
    Country blocking are off and i don't now whats happend.

    greetings!

  • Did Update from 707 to 708 but problem still persists.....

Reply Children
  • When i try this i got:
    fw:/root # wget acme-v02.api.letsencrypt.org/directory
    --2021-12-04 19:45:59--  acme-v02.api.letsencrypt.org/directory
    Resolving acme-v02.api.letsencrypt.org... 2606:4700:60:0:f53d:5624:85c7:3a2c, 172.65.32.248
    Connecting to acme-v02.api.letsencrypt.org|2606:4700:60:0:f53d:5624:85c7:3a2c|:443... failed: Connection timed out.
    Connecting to acme-v02.api.letsencrypt.org|172.65.32.248|:443... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 658 [application/json]
    Saving to: `directory.1'

    100%[====================================================================================================================================================================================================================>] 658         --.-K/s   in 0s

    2021-12-04 19:48:07 (96.2 MB/s) - `directory.1' saved [658/658]

    fw:/root # wget acme-v02.api.letsencrypt.org/directory --no-check-certificate
    --2021-12-04 19:42:51--  acme-v02.api.letsencrypt.org/directory
    Resolving acme-v02.api.letsencrypt.org... 2606:4700:60:0:f53d:5624:85c7:3a2c, 172.65.32.248
    Connecting to acme-v02.api.letsencrypt.org|2606:4700:60:0:f53d:5624:85c7:3a2c|:443... failed: Connection timed out.
    Connecting to acme-v02.api.letsencrypt.org|172.65.32.248|:443... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 658 [application/json]
    Saving to: `directory'

    100%[====================================================================================================================================================================================================================>] 658         --.-K/s   in 0s

    2021-12-04 19:44:59 (121 MB/s) - `directory' saved [658/658]

  • I get repeatingly connection reset by peer

    astaroutmisbest:/root/test # wget acme-v02.api.letsencrypt.org/directory
    --2021-12-05 10:33:57--  acme-v02.api.letsencrypt.org/directory
    Resolving acme-v02.api.letsencrypt.org... 172.65.32.248, 2606:4700:60:0:f53d:5624:85c7:3a2c
    Connecting to acme-v02.api.letsencrypt.org|172.65.32.248|:80... connected.
    HTTP request sent, awaiting response... Read error (Connection reset by peer) in headers.
    Retrying.

    --2021-12-05 10:33:58--  (try: 2)  acme-v02.api.letsencrypt.org/directory
    Connecting to acme-v02.api.letsencrypt.org|172.65.32.248|:80... connected.
    HTTP request sent, awaiting response... Read error (Connection reset by peer) in headers.
    Retrying.

    Using no check certificate it downloads

    astaroutmisbest:/root/test # wget acme-v02.api.letsencrypt.org/directory --no-check-certificate
    --2021-12-05 10:40:20--  acme-v02.api.letsencrypt.org/directory
    Resolving acme-v02.api.letsencrypt.org... 172.65.32.248, 2606:4700:60:0:f53d:5624:85c7:3a2c
    Connecting to acme-v02.api.letsencrypt.org|172.65.32.248|:443... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 658 [application/json]
    Saving to: `directory'
    100%[=================================================>] 658         --.-K/s   in 0s      
    2021-12-05 10:40:20 (158 MB/s) - `directory' saved [658/658]

    BTW:
    Box is on 9.708-6 also tried 9.705, 707 and 708

    I have no problems on 707 with my home use installation, but the box with the paid license causes these problems...

  • So on your site it's working, on my site it's not working without --no-check-cert.

  • Yes i have installed the update to 9.708-6 but still unable to activate let's encrypt again....

  • @PieterH and Jasmine,

    are you getting the same error if you activate let's enc.?

  • Hello Sophos Support, what is the status here? Ticket was already opened last Friday and apparently it affects other people?
    Please urgently share the status or resolution of the issue!

  • Yes when I try to turn on let’s encrypt again I got the errors. 

  • For me it worked by forcing IPv4

    wget -4  https://acme-v02.api.letsencrypt.org/directory --no-check-certificate