Thread Info
  • State Verified Answer
  • Replies 2 replies
  • Answers 1 answer
  • Subscribers 5 subscribers
  • Views 829 views
  • Users 0 members are here
Options
Suggested

Let's Encrypt certificate renewal fails

DeBe

I have a problem where one of our Let's Encrypt Certificates won't renew.

This certificate is used for a virtual web server with our Exchange server (OWA, activesync, etc.) as the real web server. Another certificate, used for the UTM user and admin portal, renews just fine.

Log excerpt:

2024:07:09-02:47:22 firewall-1 letsencrypt[5129]: I Renew certificate: command completed with exit code 256
2024:07:09-02:47:22 firewall-1 letsencrypt[5129]: E Renew certificate: COMMAND_FAILED: ERROR: Challenge is invalid! (returned: invalid) (result: ["type"]    "http-01"
2024:07:09-02:47:22 firewall-1 letsencrypt[5129]: E Renew certificate: COMMAND_FAILED: ["url"]    "https://acme-v02.api.letsencrypt.org/acme/chall-v3/374511863967/j7_Q-g"
2024:07:09-02:47:22 firewall-1 letsencrypt[5129]: E Renew certificate: COMMAND_FAILED: ["status"]    "invalid"
2024:07:09-02:47:22 firewall-1 letsencrypt[5129]: E Renew certificate: COMMAND_FAILED: ["validated"]    "2024-07-09T00:47:10Z"
2024:07:09-02:47:22 firewall-1 letsencrypt[5129]: E Renew certificate: COMMAND_FAILED: ["error","type"]    "urn:ietf:params:acme:error:connection"
2024:07:09-02:47:22 firewall-1 letsencrypt[5129]: E Renew certificate: COMMAND_FAILED: ["error","detail"]    "[public-ip]: Fetching http://owa.domain.com/.well-known/acme-challenge/UIO86Hjigfew7089034YOPUjyyoRv2-KoRrQlbYvdmxvM: Timeout during connect (likely firewall problem)"

UTM Version: 9.719-3

Things that have fixed similar issues before or that were mentioned in other threads that I tried:

  • Diesbaled country blocking for the time being.
  • We don't have D-NAT Rules configured.
  • Changed the Virtual Webserver Type from 'Encrypted (HTTPS) & Redirect' to just 'Encrypted (HTTPS)'.
  • Disabled and re-enabled Let's Encrypt certificates and checked the validity of the LE CAs listed under 'Webserver Protection > Certificate Management > CA'.
  • Waited a for days (8) for the issue to resolve itself (seems to have worked for some people).

None of which worked for this certificate and I'm more or less out of ideas.

The log kindly points out "(...)Timeout during connect (likely firewall problem)" - but I'm unsure how to further diagnose this.

I've attached an image of the virtual web server the cert is used for as well as the full Let's Encrypt log (anonymized) for the failed renewal process.

Thank you for your help.

/cfs-file/__key/communityserver-discussions-components-files/51/LE_5F00_error.txt

  • 0

    AFAIK let's encrypt needs HTTP to place the challenge file on your webserver to proove your domain settings. Best would be a temporary DNAT-rule for this.

    There is no HTTPS used for this.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • +1

    Okay, the problem turned out to be the selected Interface of the certificate. I didn't realize certs were bound to an interface until I saw the working certs showed the WAN interface directly, while the failing cert showed an interface (Additional Address) defined under 'Interfaces & Routing > Interfaces > Additional Addresses'.

    We recently had some issues with our WAN interface not obtaining an IP address and made some changes there.

    Requesting a new LE certificate with our domain and the "correct" interface worked.

Unfiltered HTML