Latest UTM and Let's Encrypt Failures

Exrace 2 days ago

Having issues recently with renewing LE certificates.
For some time, I had a _acme-challenge. TXT record in my UTM firewall domain name.
I don't recall how I got the token, but LE was working fine until this year. Possibly the April changes broke validation using this token as the notes talk about requiring a way to automate adding a challenge record to DNS.

What are others doing to fix this?

Need see if there is a way to create this token at Lets' Encrypt.

The LE log is a bit useless for this:
2024:07:04-00:46:02 xxx letsencrypt[31867]: I Renew certificate: execution failed
2024:07:04-08:47:01 xxx letsencrypt[13531]: E Renew certificate: Incorrect response code from ACME server: 500
2024:07:04-08:47:01 xxx letsencrypt[13531]: E Renew certificate: URL was: acme-v02.api.letsencrypt.org/directory
2024:07:04-08:47:01 xxx letsencrypt[13531]: I Renew certificate: handling CSR REF_CaCsrYellowExt12 for domain set [xxx.domain.com]
2024:07:04-08:47:01 xxx letsencrypt[13531]: E Renew certificate: TOS_UNAVAILABLE: Could not obtain the current version of the Let's Encrypt Terms of Service

0 Vivek Jagad 2 days ago

Hi Exrace ,

Thank you for reaching out the community, Refer the following thread Sophos UTM 9.707-5 - Let’s Encrypt failed: Failed to retrieve the current Terms of Service link

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Team Lead, Global Support & Services

Log a Support Case | Sophos Service Guide
Best Practices – Support Case

Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Exrace 2 days ago in reply to Vivek Jagad

That doesn't look to resolve the issue for me.
I tried removing the X1 cert and reuploading the cert but have same issue.
I also tried the step disabling the LE service and reenable and now we have the "E Create account: failed to create account" message. I don't have shell access to this server right now so I can't test the wget to see if there is another issue with certs.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Exrace 2 days ago in reply to Exrace

I got shell access via portal and this is a cert issue.
wget acme-v02.api.letsencrypt.org/directory
--2024-07-04 23:23:25-- acme-v02.api.letsencrypt.org/directory
Resolving acme-v02.api.letsencrypt.org... 172.65.32.248
Connecting to acme-v02.api.letsencrypt.org|172.65.32.248|:443... connected.
ERROR: cannot verify acme-v02.api.letsencrypt.org's certificate, issued by `/C=US/O=Let's Encrypt/CN=R11':
unable to get issuer certificate
To connect to acme-v02.api.letsencrypt.org insecurely, use `--no-check-certificate'.
Unable to establish SSL connection.

Looking now to see if we are missing this certificate.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Exrace 2 days ago in reply to Exrace

I wonder if this server has a corrupted cert store.
I tried adding the R11 CA and it made no difference.
Odd is I have another server I copied this current servers config from by importing and the source server has no issues.
Curl shows similar errors when run with the -vvvv -I -L -k parameters.
What is the best way to force UTM to refresh the certs required for LE?
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel