Sophos UTM 9.707-5 - Let’s Encrypt failed: Failed to retrieve the current Terms of Service link

Hello, 

I appear to be having issues trying to renew LE Certificates. This started a few days ago (when due for renewal) and initially I did come to this forum for answers and found that one post suggested to update to the latest UTM version. I'm now up to 9.707-5 but still have the same issue. 

Patterns also up to date:

Current pattern version: 204063
Latest available pattern version: 204063

It appears to be related to being unable to find the TOS but all links it shows resolve fine. The certificates I have are used for UTM Management and WAF.

Looking at the logs I see the following after turning the service off and back on...

2021:10:10-09:15:14 utm letsencrypt[9881]: I Create account: creating new Let's Encrypt acccount
2021:10:10-09:15:15 utm letsencrypt[9881]: E Create account: Incorrect response code from ACME server: 500
2021:10:10-09:15:15 utm letsencrypt[9881]: E Create account: URL was: acme-v02.api.letsencrypt.org/directory
2021:10:10-09:15:15 utm letsencrypt[9881]: E Create account: TOS_UNAVAILABLE: Failed to retrieve the current Terms of Service URL
2021:10:10-09:15:15 utm letsencrypt[9881]: E Create account: failed to create account

Prior to that, an attempt at renewing:

2021:10:10-08:44:02 utm letsencrypt[1020]: E Renew certificate: Incorrect response code from ACME server: 500
2021:10:10-08:44:02 utm letsencrypt[1020]: E Renew certificate: URL was: acme-v02.api.letsencrypt.org/directory
2021:10:10-08:44:02 utm letsencrypt[1020]: I Renew certificate: handling CSR REF_CaCsrXXXXLetsEncry for domain set [DOMAINS]
2021:10:10-08:44:02 utm letsencrypt[1020]: E Renew certificate: TOS_UNAVAILABLE: Could not obtain the current version of the Let's Encrypt Terms of Service
2021:10:10-08:44:02 utm letsencrypt[1020]: I Renew certificate: sending notification WARN-603
2021:10:10-08:44:02 utm letsencrypt[1020]: [WARN-603] Let's Encrypt certificate renewal failed accessing Let's Encrypt service
2021:10:10-08:44:02 utm letsencrypt[1020]: I Renew certificate: execution failed

The UTM has been rebooted, no change. I've turned off Web protection, no change...

Any ideas appreciated.

Thanks!
  • Same error here. I can't enable Let's Encrypt anymore after disabling it. I don't have the ISRG X1-Root CA present under Webserver Protection → Certificate Management → Certificate Authority.

  • we need clear instructions how to solve this. I do hope we will get them soon.

  • There are 2 X1 CA certificates:

    Correct
    Fingerprint: CA:BD:2A:79:A1:07:6A:31:F2:1D:25:36:35:CB:03:9D:43:29:A5:E8

    Wrong
    Fingerprint: 93:3C:6D:DE:E9:5C:9C:41:A4:0F:9F:50:49:3D:82:BE:03:AD:87:BF

    Download correct X1: https://letsencrypt.org/certificates/ or https://letsencrypt.org/certs/isrgrootx1.pem

    Delete the 93:3C:... and add the CA:BD:.. manually under Certificate Management->Certificate Authority

    The wrong X1 will reappear after a renew of a LetsEncrypt certificate. So you might have to check again after at least 2 month.

  • Did that doesn't work. I don't have any external CAs listed under Certificate Management->Certificate Authority, so I downloaded the one you mentioned and imported it. Unfortunately I'm still unable to enable Let's Encrypt:

    2021:11:10-18:14:22 firewall letsencrypt[13087]: I Create account: creating new Let's Encrypt acccount
    2021:11:10-18:14:23 firewall letsencrypt[13087]: E Create account: Incorrect response code from ACME server: 500
    2021:11:10-18:14:23 firewall letsencrypt[13087]: E Create account: URL was: acme-v02.api.letsencrypt.org/directory
    2021:11:10-18:14:23 firewall letsencrypt[13087]: E Create account: TOS_UNAVAILABLE: Failed to retrieve the current Terms of Service URL
    2021:11:10-18:14:23 firewall letsencrypt[13087]: E Create account: failed to create account
  • > The wrong X1 will reappear after a renew of a LetsEncrypt certificate. So you might have to check again after at least 2 month.

    can you please elaborate that? Can Sophos give us official solution / patch for the issue?

    we have support case opened 04594640 

  • I'm waiting for a reply on this exact issue from support

  • I'm afraid i can´t help you without access to the UTM then.

    You might try your luck with sophos support then

  • I have the same Problem with same Version of UTM.

    On ssh i try this:

    wget https://acme-v02.api.letsencrypt.org/directory
    --2021-12-03 07:32:31--  https://acme-v02.api.letsencrypt.org/directory
    Resolving acme-v02.api.letsencrypt.org... 172.65.32.248, 2606:4700:60:0:f53d:5624:85c7:3a2c
    Connecting to acme-v02.api.letsencrypt.org|172.65.32.248|:443... connected.
    ERROR: cannot verify acme-v02.api.letsencrypt.org's certificate, issued by `/C=US/O=Let's Encrypt/CN=R3':
      unable to get issuer certificate
    To connect to acme-v02.api.letsencrypt.org insecurely, use `--no-check-certificate'.
    Unable to establish SSL connection.

    with parameter --no-check-certificate it is working.

    There are no X1 Cert available on my utm and also i trie to disable and enable Letsencrypt servie.

    Disable was no Problem and enable no luck:

    2021:12:03-07:18:02 fw-trzisp-02-1 letsencrypt[23893]: I Renew certificate: sending notification WARN-603
    2021:12:03-07:18:02 fw-trzisp-02-1 letsencrypt[23893]: [WARN-603] Let's Encrypt certificate renewal failed accessing Let's Encrypt service
    2021:12:03-07:18:02 fw-trzisp-02-1 letsencrypt[23893]: I Renew certificate: execution failed
    2021:12:03-07:25:02 fw-trzisp-02-1 letsencrypt[25004]: I CONFD: Account removed because Let's Encrypt was disabled by the user
    2021:12:03-07:25:03 fw-trzisp-02-2 letsencrypt[21796]: I CONFD: Account removed because Let's Encrypt was disabled by the user
    2021:12:03-07:25:48 fw-trzisp-02-1 letsencrypt[25102]: I Create account: creating new Let's Encrypt acccount
    2021:12:03-07:25:48 fw-trzisp-02-1 letsencrypt[25102]: E Create account: Incorrect response code from ACME server: 500
    2021:12:03-07:25:48 fw-trzisp-02-1 letsencrypt[25102]: E Create account: URL was: https://acme-v02.api.letsencrypt.org/directory
    2021:12:03-07:25:48 fw-trzisp-02-1 letsencrypt[25102]: E Create account: TOS_UNAVAILABLE: Failed to retrieve the current Terms of Service URL
    2021:12:03-07:25:48 fw-trzisp-02-1 letsencrypt[25102]: E Create account: failed to create account
    2021:12:03-07:31:19 fw-trzisp-02-1 letsencrypt[25990]: I Create account: creating new Let's Encrypt acccount
    2021:12:03-07:31:20 fw-trzisp-02-1 letsencrypt[25990]: E Create account: Incorrect response code from ACME server: 500
    2021:12:03-07:31:20 fw-trzisp-02-1 letsencrypt[25990]: E Create account: URL was: https://acme-v02.api.letsencrypt.org/directory
    2021:12:03-07:31:20 fw-trzisp-02-1 letsencrypt[25990]: E Create account: TOS_UNAVAILABLE: Failed to retrieve the current Terms of Service URL
    2021:12:03-07:31:20 fw-trzisp-02-1 letsencrypt[25990]: E Create account: failed to create account 

    So how can I solve the problem?

  • Thank you Henrik for your replay.

    That one has not solved my problem, still can't get activationg or download via wget from the site for testing.
    Country blocking are off and i don't now whats happend.

    greetings!