I have a problem where one of our Let's Encrypt Certificates won't renew.
This certificate is used for a virtual web server with our Exchange server (OWA, activesync, etc.) as the real web server. Another certificate, used for the UTM user and admin portal, renews just fine.
Log excerpt:
2024:07:09-02:47:22 firewall-1 letsencrypt[5129]: I Renew certificate: command completed with exit code 256
2024:07:09-02:47:22 firewall-1 letsencrypt[5129]: E Renew certificate: COMMAND_FAILED: ERROR: Challenge is invalid! (returned: invalid) (result: ["type"] "http-01"
2024:07:09-02:47:22 firewall-1 letsencrypt[5129]: E Renew certificate: COMMAND_FAILED: ["url"] "https://acme-v02.api.letsencrypt.org/acme/chall-v3/374511863967/j7_Q-g"
2024:07:09-02:47:22 firewall-1 letsencrypt[5129]: E Renew certificate: COMMAND_FAILED: ["status"] "invalid"
2024:07:09-02:47:22 firewall-1 letsencrypt[5129]: E Renew certificate: COMMAND_FAILED: ["validated"] "2024-07-09T00:47:10Z"
2024:07:09-02:47:22 firewall-1 letsencrypt[5129]: E Renew certificate: COMMAND_FAILED: ["error","type"] "urn:ietf:params:acme:error:connection"
2024:07:09-02:47:22 firewall-1 letsencrypt[5129]: E Renew certificate: COMMAND_FAILED: ["error","detail"] "[public-ip]: Fetching http://owa.domain.com/.well-known/acme-challenge/UIO86Hjigfew7089034YOPUjyyoRv2-KoRrQlbYvdmxvM: Timeout during connect (likely firewall problem)"
UTM Version: 9.719-3
Things that have fixed similar issues before or that were mentioned in other threads that I tried:
- Diesbaled country blocking for the time being.
- We don't have D-NAT Rules configured.
- Changed the Virtual Webserver Type from 'Encrypted (HTTPS) & Redirect' to just 'Encrypted (HTTPS)'.
- Disabled and re-enabled Let's Encrypt certificates and checked the validity of the LE CAs listed under 'Webserver Protection > Certificate Management > CA'.
- Waited a for days (8) for the issue to resolve itself (seems to have worked for some people).
None of which worked for this certificate and I'm more or less out of ideas.
The log kindly points out "(...)Timeout during connect (likely firewall problem)" - but I'm unsure how to further diagnose this.
I've attached an image of the virtual web server the cert is used for as well as the full Let's Encrypt log (anonymized) for the failed renewal process.
Thank you for your help.
/cfs-file/__key/communityserver-discussions-components-files/51/LE_5F00_error.txt
This thread was automatically locked due to age.