This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Latest UTM and Let's Encrypt Failures

Having issues recently with renewing LE certificates.
For some time, I had a _acme-challenge. TXT record in my UTM firewall domain name.
I don't recall how I got the token, but LE was working fine until this year. Possibly the April changes broke validation using this token as the notes talk about requiring a way to automate adding a challenge record to DNS.

What are others doing to fix this?

Need see if there is a way to create this token at Lets' Encrypt.

The LE log is a bit useless for this:
2024:07:04-00:46:02 xxx letsencrypt[31867]: I Renew certificate: execution failed
2024:07:04-08:47:01 xxx letsencrypt[13531]: E Renew certificate: Incorrect response code from ACME server: 500
2024:07:04-08:47:01 xxx letsencrypt[13531]: E Renew certificate: URL was: acme-v02.api.letsencrypt.org/directory
2024:07:04-08:47:01 xxx letsencrypt[13531]: I Renew certificate: handling CSR REF_CaCsrYellowExt12 for domain set [xxx.domain.com]
2024:07:04-08:47:01 xxx letsencrypt[13531]: E Renew certificate: TOS_UNAVAILABLE: Could not obtain the current version of the Let's Encrypt Terms of Service



This thread was automatically locked due to age.
Parents Reply Children
  • That doesn't look to resolve the issue for me.
    I tried removing the X1 cert and reuploading the cert but have same issue. 
    I also tried the step disabling the LE service and reenable and now we have the "E Create account: failed to create account" message. I don't have shell access to this server right now so I can't test the wget to see if there is another issue with certs.

  • I got shell access via portal and this is a cert issue. 
    wget acme-v02.api.letsencrypt.org/directory
    --2024-07-04 23:23:25-- acme-v02.api.letsencrypt.org/directory
    Resolving acme-v02.api.letsencrypt.org... 172.65.32.248
    Connecting to acme-v02.api.letsencrypt.org|172.65.32.248|:443... connected.
    ERROR: cannot verify acme-v02.api.letsencrypt.org's certificate, issued by `/C=US/O=Let's Encrypt/CN=R11':
    unable to get issuer certificate
    To connect to acme-v02.api.letsencrypt.org insecurely, use `--no-check-certificate'.
    Unable to establish SSL connection.

    Looking now to see if we are missing this certificate.


  • I wonder if this server has a corrupted cert store.
    I tried adding the R11 CA and it made no difference.
    Odd is I have another server I copied this current servers config from by importing and the source server has no issues.
    Curl shows similar errors when run with the -vvvv -I -L -k parameters.
    What is the best way to force UTM to refresh the certs required for LE?

  • None of these suggestions work.
    Anyone else have suggestions on how to get the certs properly installed?