Sophos UTM 9.707-5 - Let’s Encrypt failed: Failed to retrieve the current Terms of Service link

Hello, 

I appear to be having issues trying to renew LE Certificates. This started a few days ago (when due for renewal) and initially I did come to this forum for answers and found that one post suggested to update to the latest UTM version. I'm now up to 9.707-5 but still have the same issue. 

Patterns also up to date:

Current pattern version: 204063
Latest available pattern version: 204063

It appears to be related to being unable to find the TOS but all links it shows resolve fine. The certificates I have are used for UTM Management and WAF.

Looking at the logs I see the following after turning the service off and back on...

2021:10:10-09:15:14 utm letsencrypt[9881]: I Create account: creating new Let's Encrypt acccount
2021:10:10-09:15:15 utm letsencrypt[9881]: E Create account: Incorrect response code from ACME server: 500
2021:10:10-09:15:15 utm letsencrypt[9881]: E Create account: URL was: acme-v02.api.letsencrypt.org/directory
2021:10:10-09:15:15 utm letsencrypt[9881]: E Create account: TOS_UNAVAILABLE: Failed to retrieve the current Terms of Service URL
2021:10:10-09:15:15 utm letsencrypt[9881]: E Create account: failed to create account

Prior to that, an attempt at renewing:

2021:10:10-08:44:02 utm letsencrypt[1020]: E Renew certificate: Incorrect response code from ACME server: 500
2021:10:10-08:44:02 utm letsencrypt[1020]: E Renew certificate: URL was: acme-v02.api.letsencrypt.org/directory
2021:10:10-08:44:02 utm letsencrypt[1020]: I Renew certificate: handling CSR REF_CaCsrXXXXLetsEncry for domain set [DOMAINS]
2021:10:10-08:44:02 utm letsencrypt[1020]: E Renew certificate: TOS_UNAVAILABLE: Could not obtain the current version of the Let's Encrypt Terms of Service
2021:10:10-08:44:02 utm letsencrypt[1020]: I Renew certificate: sending notification WARN-603
2021:10:10-08:44:02 utm letsencrypt[1020]: [WARN-603] Let's Encrypt certificate renewal failed accessing Let's Encrypt service
2021:10:10-08:44:02 utm letsencrypt[1020]: I Renew certificate: execution failed

The UTM has been rebooted, no change. I've turned off Web protection, no change...

Any ideas appreciated.

Thanks!
Parents
  • My case:

    Sophos UTM version: 9.712-13

    I already had this problem in the past. The correct X1 certificate was present, and let's encrypt was working fine.
    Today I couldn't renew some certificate and Let's Encrypt account was disabled.

    Deleting the X1 certificate warned me about other certificate (the one which I use for WebAdmin). Only when I deleted this certificate also, Let's encrypt account was created again.

Reply
  • My case:

    Sophos UTM version: 9.712-13

    I already had this problem in the past. The correct X1 certificate was present, and let's encrypt was working fine.
    Today I couldn't renew some certificate and Let's Encrypt account was disabled.

    Deleting the X1 certificate warned me about other certificate (the one which I use for WebAdmin). Only when I deleted this certificate also, Let's encrypt account was created again.

Children
  • Same problem on my utm.
    2022:09:27-10:09:22 letsencrypt[12209]: I Create account: creating new Let's Encrypt acccount
    2022:09:27-10:09:24 letsencrypt[12209]: E Create account: Incorrect response code from ACME server: 500
    2022:09:27-10:09:24 letsencrypt[12209]: E Create account: URL was: acme-v02.api.letsencrypt.org/directory
    2022:09:27-10:09:24 letsencrypt[12209]: E Create account: TOS_UNAVAILABLE: Failed to retrieve the current Terms of Service URL
    2022:09:27-10:09:24 letsencrypt[12209]: E Create account: failed to create account

    I disabled Let's Encrypt option and reset it.
    A cannot enable it again:
    The previous attempt to enable Let’s Encrypt failed: Failed to retrieve the current Terms of Service link. Please try again or check the Internet connection if the problem persists.

  • Same error. Old URL Unavailable: This is what helped me. Seems to be Important to disable the Webfilter/Webproxy and reenable it again but i dont know the order as first or after the first apply of the LE apply button. Apply LE without selecting the the LE checkbox. After the red failure Text disappears set the LE checkbox active and apply. Shortly after this order LE was set again. It seems the first apply accepted the new EULA and with the second apply of the same button and the LE checkbox activates LE again. 

    The enbedded Link for the EULA first was from 2017 after the first apply push the EULA was from 2022 and the LE was able to activate.

      

    Not easy to monitor when LE changed its eula and this deactivates the LE function of the Sophos without knowing it. Only was aknowledged by O365 Mail Bounce Messages and in subinformations for expired certificates.