UTM SG230/v9.705-3 Let's Encrypt fails

Hi all,

Sorry for the long post, but this is tricky to describe to ensure clarity and completeness.

I turned on Let's Encrypt Certificate support on my SG230 and then created a new Let's Encrypt certificate request.  The request from the SG230 fails with the message ...

"An error occurred while communicating with the Let’s Encrypt server. Automatic renewals will be tried again during the next renewal attempt. Manual renewal can be attempted again at any time."

I'm running a number of websites on the server (around 10) and so use the Virtual Webserver functionality of the SG230 and direct requests to the appropriate website accordingly.  I have "Pass Host Header" checked in all cases.  The webserver is IIS.   Prior to activating Let's Encrypt support on the SG230, everything worked just fine (and in fact still does, other than the Let's Encrypt requests originating from the SG230 failing).

Over on IIS, I installed and ran "win-acme" (win-acme) and it seemed to work perfectly.  It created a new certificate request, validated and installed on IIS.  In fact, my sites now have SSL up and running using the certs created and installed by win-acme.

So what the problem you ask?   The error messages on the SG230 when it is trying to create the certs.

Why am I trying to get the SG230 to create the certs as well you ask?  That's because I need to create a Virtual Webserver of the type HTTPS (of course) which requires a certificate which includes the domain in question.  Even though the Let's Encrypt validation fails on the SG230, the Virtual Webserver is created and traffic passes to the correct website on 443.  Sort of a Catch-22 maybe?

I could leave it this way, but having the SG230 poll Let's Encrypt every 24 hours and failing is not really best practice.

Following is the log from the SG230 with domain name and IP changed from the real name and IP.  The answer is probably in the first 4 lines, but I don't know what exit code 256 represents, and I suspect the reference to "/.well-known/" could be because the SG230 is unable to create/write to that directory.

Thanks for any suggestions.

=====================================

2021:05:13-08:03:02 remote letsencrypt[17889]: I Renew certificate: handling CSR REF_CaCsrLetsEncryWwwau for domain set [www.example.com]
2021:05:13-08:03:02 remote letsencrypt[17889]: I Renew certificate: running command: /var/storage/chroot-reverseproxy/usr/dehydrated/bin/dehydrated -x -f /var/storage/chroot-reverseproxy/usr/dehydrated/conf/config -c --accept-terms --domain www.example.com
2021:05:13-08:03:16 remote letsencrypt[17889]: I Renew certificate: command completed with exit code 256
2021:05:13-08:03:16 remote letsencrypt[17889]: E Renew certificate: COMMAND_FAILED: ERROR: Challenge is invalid! (returned: invalid) (result: {
2021:05:13-08:03:16 remote letsencrypt[17889]: E Renew certificate: COMMAND_FAILED: "type": "http-01",
2021:05:13-08:03:16 remote letsencrypt[17889]: E Renew certificate: COMMAND_FAILED: "status": "invalid",
2021:05:13-08:03:16 remote letsencrypt[17889]: E Renew certificate: COMMAND_FAILED: "error": {
2021:05:13-08:03:16 remote letsencrypt[17889]: E Renew certificate: COMMAND_FAILED: "type": "urn:ietf:params:acme:error:unauthorized",
2021:05:13-08:03:16 remote letsencrypt[17889]: E Renew certificate: COMMAND_FAILED: "detail": "Invalid response from www.example.com/.../PKfLUYv_UI3mNo2ywxnJ6hcfEqS2yVOcAlsIQG-vM6A [123.123.123.123]: \"\u003c!DOCTYPE html PUBLIC \\\"-//W3C//DTD XHTML 1.0 Strict//EN\\\" \\\"">www.w3.org/.../xhtml1-strict.dtd\\\"\u003e\\r\\n\u003chtml xmlns=\\\"http\"",
2021:05:13-08:03:16 remote letsencrypt[17889]: E Renew certificate: COMMAND_FAILED: "status": 403
2021:05:13-08:03:16 remote letsencrypt[17889]: E Renew certificate: COMMAND_FAILED: },
2021:05:13-08:03:16 remote letsencrypt[17889]: E Renew certificate: COMMAND_FAILED: "url": "">acme-v02.api.letsencrypt.org/.../61ZNcw",
2021:05:13-08:03:16 remote letsencrypt[17889]: E Renew certificate: COMMAND_FAILED: "token": "PKfLUYv_UI3mNo2ywxnJ6hcfEqS2yVOcAlsIQG-vM6A",
2021:05:13-08:03:16 remote letsencrypt[17889]: E Renew certificate: COMMAND_FAILED: "validationRecord": [
2021:05:13-08:03:16 remote letsencrypt[17889]: E Renew certificate: COMMAND_FAILED: {
2021:05:13-08:03:16 remote letsencrypt[17889]: E Renew certificate: COMMAND_FAILED: "url": "">www.example.com/.../PKfLUYv_UI3mNo2ywxnJ6hcfEqS2yVOcAlsIQG-vM6A",
2021:05:13-08:03:16 remote letsencrypt[17889]: E Renew certificate: COMMAND_FAILED: "hostname": "www.example.com",
2021:05:13-08:03:16 remote letsencrypt[17889]: E Renew certificate: COMMAND_FAILED: "port": "80",
2021:05:13-08:03:16 remote letsencrypt[17889]: E Renew certificate: COMMAND_FAILED: "addressesResolved": [
2021:05:13-08:03:16 remote letsencrypt[17889]: E Renew certificate: COMMAND_FAILED: "123.123.123.123"
2021:05:13-08:03:16 remote letsencrypt[17889]: E Renew certificate: COMMAND_FAILED: ],
2021:05:13-08:03:16 remote letsencrypt[17889]: E Renew certificate: COMMAND_FAILED: "addressUsed": "123.123.123.123"
2021:05:13-08:03:16 remote letsencrypt[17889]: E Renew certificate: COMMAND_FAILED: },
2021:05:13-08:03:16 remote letsencrypt[17889]: E Renew certificate: COMMAND_FAILED: {
2021:05:13-08:03:16 remote letsencrypt[17889]: E Renew certificate: COMMAND_FAILED: "url": "">www.example.com/.../PKfLUYv_UI3mNo2ywxnJ6hcfEqS2yVOcAlsIQG-vM6A",
2021:05:13-08:03:16 remote letsencrypt[17889]: E Renew certificate: COMMAND_FAILED: "hostname": "www.example.com",
2021:05:13-08:03:16 remote letsencrypt[17889]: E Renew certificate: COMMAND_FAILED: "port": "443",
2021:05:13-08:03:16 remote letsencrypt[17889]: E Renew certificate: COMMAND_FAILED: "addressesResolved": [
2021:05:13-08:03:16 remote letsencrypt[17889]: E Renew certificate: COMMAND_FAILED: "123.123.123.123"
2021:05:13-08:03:16 remote letsencrypt[17889]: E Renew certificate: COMMAND_FAILED: ],
2021:05:13-08:03:16 remote letsencrypt[17889]: E Renew certificate: COMMAND_FAILED: "addressUsed": "123.123.123.123"
2021:05:13-08:03:16 remote letsencrypt[17889]: E Renew certificate: COMMAND_FAILED: }
2021:05:13-08:03:16 remote letsencrypt[17889]: E Renew certificate: COMMAND_FAILED: ],
2021:05:13-08:03:16 remote letsencrypt[17889]: E Renew certificate: COMMAND_FAILED: "validated": "2021-05-12T22:03:13Z"
2021:05:13-08:03:16 remote letsencrypt[17889]: E Renew certificate: COMMAND_FAILED: })
2021:05:13-08:03:16 remote letsencrypt[17889]: I Renew certificate: sending notification WARN-603
2021:05:13-08:03:16 remote letsencrypt[17889]: [WARN-603] Let's Encrypt certificate renewal failed accessing Let's Encrypt service
2021:05:13-08:03:16 remote letsencrypt[17889]: I Renew certificate: execution completed (CSRs renewed: 0, failed: 1)