This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Yet another Letsencrypt question

I have read numerous pages on getting Letsencrypt certs working on the sophos utm 9 appliance and I just cant seem to get thsi working. Is there any tips to getting this to work?

My setup is as follows;

Outside connections come in on port 443, got to an Nginx proxy where it is redirected to the correct port number of the web address i.e.

    abcd.website.com ---> 192.168.1.123:8765

    defg.website.com ---> 192.168.1.123:9876

etc...

This was in place and working prior to installing the UTM 220, and works internally.

I want to forward and use the protection capabilities of UTM 9, grab the https://absd.website.com traffic, do its magic, and pass it to Nginx as https://abcd.website.com where Nginix will then proxy it off to the final address and port.

It this possible? If you have ideas, or a better please let me know.

Here is the log from the letsencrypt session

2021:09:18-15:25:23 fw letsencrypt[28405]: I Renew certificate: execution completed (CSRs renewed: 0, failed: 1)
2021:09:18-15:34:02 fw letsencrypt[30437]: I Renew certificate: handling CSR REF_CaCsrHomebox for domain set [rikksullenber.ddns.net]
2021:09:18-15:34:02 fw letsencrypt[30437]: I Renew certificate: running command: /var/storage/chroot-reverseproxy/usr/dehydrated/bin/dehydrated -x -f /var/storage/chroot-reverseproxy/usr/dehydrated/conf/config -c --accept-terms --domain rikksullenber.ddns.net
2021:09:18-15:34:14 fw letsencrypt[30437]: I Renew certificate: command completed with exit code 256
2021:09:18-15:34:14 fw letsencrypt[30437]: E Renew certificate: COMMAND_FAILED: ERROR: Challenge is invalid! (returned: invalid) (result: {
2021:09:18-15:34:14 fw letsencrypt[30437]: E Renew certificate: COMMAND_FAILED: "type": "http-01",
2021:09:18-15:34:14 fw letsencrypt[30437]: E Renew certificate: COMMAND_FAILED: "status": "invalid",
2021:09:18-15:34:14 fw letsencrypt[30437]: E Renew certificate: COMMAND_FAILED: "error": {
2021:09:18-15:34:14 fw letsencrypt[30437]: E Renew certificate: COMMAND_FAILED: "type": "urn:ietf:params:acme:error:unauthorized",
2021:09:18-15:34:14 fw letsencrypt[30437]: E Renew certificate: COMMAND_FAILED: "detail": "Invalid response from rikksullenber.ddns.net/.../wb_09NYPIVT69xmvcwQuBab4Eh_PY0p9Akz24wqliqY [76.190.152.95]: \"\u003chtml\u003e\\r\\n\u003chead\u003e\u003ctitle\u003e404 Not Found\u003c/title\u003e\u003c/head\u003e\\r\\n\u003cbody\u003e\\r\\n\u003ccenter\u003e\u003ch1\u003e404 Not Found\u003c/h1\u003e\u003c/center\u003e\\r\\n\u003chr\u003e\u003ccenter\u003eopenresty\u003c/cente\"",
2021:09:18-15:34:14 fw letsencrypt[30437]: E Renew certificate: COMMAND_FAILED: "status": 403
2021:09:18-15:34:14 fw letsencrypt[30437]: E Renew certificate: COMMAND_FAILED: },
2021:09:18-15:34:14 fw letsencrypt[30437]: E Renew certificate: COMMAND_FAILED: "url": "">acme-v02.api.letsencrypt.org/.../TF-jig",
2021:09:18-15:34:14 fw letsencrypt[30437]: E Renew certificate: COMMAND_FAILED: "token": "wb_09NYPIVT69xmvcwQuBab4Eh_PY0p9Akz24wqliqY",
2021:09:18-15:34:14 fw letsencrypt[30437]: E Renew certificate: COMMAND_FAILED: "validationRecord": [
2021:09:18-15:34:14 fw letsencrypt[30437]: E Renew certificate: COMMAND_FAILED: {
2021:09:18-15:34:14 fw letsencrypt[30437]: E Renew certificate: COMMAND_FAILED: "url": "">this.removed.for.security/.../wb_09NYPIVT69xmvcwQuBab4Eh_PY0p9Akz24wqliqY",
2021:09:18-15:34:14 fw letsencrypt[30437]: E Renew certificate: COMMAND_FAILED: "hostname": "this.removed.for.security/",
2021:09:18-15:34:14 fw letsencrypt[30437]: E Renew certificate: COMMAND_FAILED: "port": "80",
2021:09:18-15:34:14 fw letsencrypt[30437]: E Renew certificate: COMMAND_FAILED: "addressesResolved": [
2021:09:18-15:34:14 fw letsencrypt[30437]: E Renew certificate: COMMAND_FAILED: "1.2.3.4"
2021:09:18-15:34:14 fw letsencrypt[30437]: E Renew certificate: COMMAND_FAILED: ],
2021:09:18-15:34:14 fw letsencrypt[30437]: E Renew certificate: COMMAND_FAILED: "addressUsed": "1.2.3.4"
2021:09:18-15:34:14 fw letsencrypt[30437]: E Renew certificate: COMMAND_FAILED: }
2021:09:18-15:34:14 fw letsencrypt[30437]: E Renew certificate: COMMAND_FAILED: ],
2021:09:18-15:34:14 fw letsencrypt[30437]: E Renew certificate: COMMAND_FAILED: "validated": "2021-09-18T19:34:12Z"
2021:09:18-15:34:14 fw letsencrypt[30437]: E Renew certificate: COMMAND_FAILED: })
2021:09:18-15:34:14 fw letsencrypt[30437]: I Renew certificate: sending notification WARN-603
2021:09:18-15:34:14 fw letsencrypt[30437]: [WARN-603] Let's Encrypt certificate renewal failed accessing Let's Encrypt service
2021:09:18-15:34:14 fw letsencrypt[30437]: I Renew certificate: execution completed (CSRs renewed: 0, failed: 1)


This thread was automatically locked due to age.
  • Hello Rikk,

    I think Let's encrypt needs to reach port 80 (HTTP).

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.