This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Let's Encrypt - Default Drop when NAT to internal

We recently changed ISPs and I haven't been able to renew the Let's Encrypt cert for UTM sophos.mydomain.com... i cloned all the rules and added new interfaces and the migration to new ISP went flawless.

I have a NAT rule I turn on when it's time to renew the LE cert:

DNAT [Sophos SSL Let's Encrypt Renewals]

Traffic selector: Any → HTTP (80) → External [Sophos] (Address)

Destination translation: Internal (Address)

Automatic Firewall rule: Checked

Using Port Query, I can see It is applying NAT to the External IP, however it is dropping access to the internal destination on port 80.

14:41:29

NAT rule #1

TCP

My.remote.IP

10664

→

External [Sophos] (Address)

[SYN]

len=52

ttl=115

tos=0x00

14:41:29

Default DROP

TCP

My.remote.IP

10664

→

192.168.1.1

[SYN]

len=52

ttl=115

tos=0x00

Any idea why it would be dropping the internal address?

Sophos UTM 9.703-3

Appreciate the help!

This thread was automatically locked due to age.

Top Replies

samson b over 3 years ago in reply to emmosophos +1 verified

Thanks for your response! It actually made me think about it and I realized I made a stupid mistake. It has been awhile and I forgot the LE cert was bound to a specific interface. The old LE cert had…

0 samson b over 3 years ago

LE UTM Logs

2020:09:17-15:37:25 sophos letsencrypt[8826]: I Renew certificate: command completed with exit code 256

2020:09:17-15:37:25 sophos letsencrypt[8826]: E Renew certificate: COMMAND_FAILED: ERROR: Challenge is invalid! (returned: invalid) (result: {

2020:09:17-15:37:25 sophos letsencrypt[8826]: E Renew certificate: COMMAND_FAILED: "type": "http-01",

2020:09:17-15:37:25 sophos letsencrypt[8826]: E Renew certificate: COMMAND_FAILED: "status": "invalid",

2020:09:17-15:37:25 sophos letsencrypt[8826]: E Renew certificate: COMMAND_FAILED: "error": {

2020:09:17-15:37:25 sophos letsencrypt[8826]: E Renew certificate: COMMAND_FAILED: "type": "urn:ietf:params:acme:error:connection",

2020:09:17-15:37:25 sophos letsencrypt[8826]: E Renew certificate: COMMAND_FAILED: "detail": "Fetching sophos.*.com/.../aJHXdz7EWjqVfd7sk6GNTa66iadmYDKlkPUTGsC3yfQ: Timeout during connect (likely firewall problem)",

2020:09:17-15:37:25 sophos letsencrypt[8826]: E Renew certificate: COMMAND_FAILED: "status": 400

2020:09:17-15:37:25 sophos letsencrypt[8826]: E Renew certificate: COMMAND_FAILED: "url": "">sophos.*.com/.../aJHXdz7EWjqVfd7sk6GNTa66iadmYDKlkPUTGsC3yfQ",

2020:09:17-15:37:25 sophos letsencrypt[8826]: E Renew certificate: COMMAND_FAILED: "hostname": "sophos.*.com",

2020:09:17-15:37:25 sophos letsencrypt[8826]: E Renew certificate: COMMAND_FAILED: "port": "80",

2020:09:17-15:37:25 sophos letsencrypt[8826]: E Renew certificate: COMMAND_FAILED: "addressesResolved": [

2020:09:17-15:37:25 sophos letsencrypt[8826]: E Renew certificate: COMMAND_FAILED: "Sophos External IP"

2020:09:17-15:37:25 sophos letsencrypt[8826]: E Renew certificate: COMMAND_FAILED: ],

2020:09:17-15:37:25 sophos letsencrypt[8826]: E Renew certificate: COMMAND_FAILED: "addressUsed": "Sophos External IP"

2020:09:17-15:37:25 sophos letsencrypt[8826]: E Renew certificate: COMMAND_FAILED: }

2020:09:17-15:37:25 sophos letsencrypt[8826]: E Renew certificate: COMMAND_FAILED: ]

2020:09:17-15:37:25 sophos letsencrypt[8826]: E Renew certificate: COMMAND_FAILED: })

2020:09:17-15:37:25 sophos letsencrypt[8826]: I Renew certificate: sending notification WARN-603

2020:09:17-15:37:25 sophos letsencrypt[8826]: [WARN-603] Let's Encrypt certificate renewal failed accessing Let's Encrypt service

2020:09:17-15:37:25 sophos letsencrypt[8826]: I Renew certificate: execution completed (CSRs renewed: 0, failed: 1)
Cancel
Vote Up 0 Vote Down

Cancel
0 emmosophos over 3 years ago

Hello Samson,

Thank you for contacting the Sophos Community!

Maybe I am confused, but why do you have a DNAT rule for the Let's Encrypt certificate? Let's Encrypt needs to read your WAN interface FQDN name.

Regards,

Emmanuel (EmmoSophos)

Technical Team Lead, Global Community Support
Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up 0 Vote Down

Cancel
+1 samson b over 3 years ago in reply to emmosophos

Thanks for your response! It actually made me think about it and I realized I made a stupid mistake. It has been awhile and I forgot the LE cert was bound to a specific interface.

The old LE cert had the old interface specified. I'm not sure how I missed that. It's kind of like when I can't find that thing in the drawer and it's right in front of my face!

I simply needed to create a new LE cert on the new, correct interface, changed cert settings under WebAdmin and User Portal, and delete the old one.
Cancel
Vote Up +1 Vote Down

Cancel
0 emmosophos over 3 years ago in reply to samson b

Hello Samson,

Thank you for the follow-up!

I am glad you were able to get the certificate. Tell me about it yesterday I was looking for my wallet, I forgot 5 minutes before I put it in my back pocket.

Regards,

Emmanuel (EmmoSophos)

Technical Team Lead, Global Community Support
Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up 0 Vote Down

Cancel