Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 2 replies
  • Answers 1 answer
  • Subscribers 6 subscribers
  • Views 3348 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Let's Encrypt certificate renewal fails

DeBe

I have a problem where one of our Let's Encrypt Certificates won't renew.

This certificate is used for a virtual web server with our Exchange server (OWA, activesync, etc.) as the real web server. Another certificate, used for the UTM user and admin portal, renews just fine.

Log excerpt:

2024:07:09-02:47:22 firewall-1 letsencrypt[5129]: I Renew certificate: command completed with exit code 256
2024:07:09-02:47:22 firewall-1 letsencrypt[5129]: E Renew certificate: COMMAND_FAILED: ERROR: Challenge is invalid! (returned: invalid) (result: ["type"]    "http-01"
2024:07:09-02:47:22 firewall-1 letsencrypt[5129]: E Renew certificate: COMMAND_FAILED: ["url"]    "https://acme-v02.api.letsencrypt.org/acme/chall-v3/374511863967/j7_Q-g"
2024:07:09-02:47:22 firewall-1 letsencrypt[5129]: E Renew certificate: COMMAND_FAILED: ["status"]    "invalid"
2024:07:09-02:47:22 firewall-1 letsencrypt[5129]: E Renew certificate: COMMAND_FAILED: ["validated"]    "2024-07-09T00:47:10Z"
2024:07:09-02:47:22 firewall-1 letsencrypt[5129]: E Renew certificate: COMMAND_FAILED: ["error","type"]    "urn:ietf:params:acme:error:connection"
2024:07:09-02:47:22 firewall-1 letsencrypt[5129]: E Renew certificate: COMMAND_FAILED: ["error","detail"]    "[public-ip]: Fetching http://owa.domain.com/.well-known/acme-challenge/UIO86Hjigfew7089034YOPUjyyoRv2-KoRrQlbYvdmxvM: Timeout during connect (likely firewall problem)"

UTM Version: 9.719-3

Things that have fixed similar issues before or that were mentioned in other threads that I tried:

  • Diesbaled country blocking for the time being.
  • We don't have D-NAT Rules configured.
  • Changed the Virtual Webserver Type from 'Encrypted (HTTPS) & Redirect' to just 'Encrypted (HTTPS)'.
  • Disabled and re-enabled Let's Encrypt certificates and checked the validity of the LE CAs listed under 'Webserver Protection > Certificate Management > CA'.
  • Waited a for days (8) for the issue to resolve itself (seems to have worked for some people).

None of which worked for this certificate and I'm more or less out of ideas.

The log kindly points out "(...)Timeout during connect (likely firewall problem)" - but I'm unsure how to further diagnose this.

I've attached an image of the virtual web server the cert is used for as well as the full Let's Encrypt log (anonymized) for the failed renewal process.

Thank you for your help.

/cfs-file/__key/communityserver-discussions-components-files/51/LE_5F00_error.txt



This thread was automatically locked due to age.
Parents
  • 0

    AFAIK let's encrypt needs HTTP to place the challenge file on your webserver to proove your domain settings. Best would be a temporary DNAT-rule for this.

    There is no HTTPS used for this.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

Reply
  • 0

    AFAIK let's encrypt needs HTTP to place the challenge file on your webserver to proove your domain settings. Best would be a temporary DNAT-rule for this.

    There is no HTTPS used for this.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

Children
No Data
Unfiltered HTML