This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

9.702-1 - Letsencrypt renew and create new failed

Hi,

my Letsencrypt certificates won't renew. I've already tried to disable and enable Letsencrypt, triggering creating a new account, and I also tried to create a new certificate, but new certificates won't get certified either.

Here is the log file:

------------------------------------------------------------------------------------
2020:06:24-18:55:03 remote letsencrypt[11015]: I Renew certificate: handling CSR REF_CaCsrDomains for domain set [remote.domain.de,home.domain.de,autodiscover.domain.de,userportal.domain.de,mail.domain.de,smtp.domain.de]
2020:06:24-18:55:03 remote letsencrypt[11015]: I Renew certificate: running command: /var/storage/chroot-reverseproxy/usr/dehydrated/bin/dehydrated -x -f /var/storage/chroot-reverseproxy/usr/dehydrated/conf/config -c --accept-terms --domain remote.domain.de --domain home.domain.de --domain autodiscover.domain.de --domain userportal.domain.de --domain mail.domain.de --domain smtp.domain.de
2020:06:24-18:56:01 remote letsencrypt[12271]: E Renew certificate: aborting, failed to acquire an exclusive lock: Resource temporarily unavailable
2020:06:24-18:56:14 remote letsencrypt[11015]: I Renew certificate: command completed with exit code 256
2020:06:24-18:56:14 remote letsencrypt[11015]: E Renew certificate: COMMAND_FAILED: ERROR: Challenge is invalid! (returned: invalid) (result: {
2020:06:24-18:56:14 remote letsencrypt[11015]: E Renew certificate: COMMAND_FAILED: "type": "http-01",
2020:06:24-18:56:14 remote letsencrypt[11015]: E Renew certificate: COMMAND_FAILED: "status": "invalid",
2020:06:24-18:56:14 remote letsencrypt[11015]: E Renew certificate: COMMAND_FAILED: "error": {
2020:06:24-18:56:14 remote letsencrypt[11015]: E Renew certificate: COMMAND_FAILED: "type": "urn:ietf:params:acme:error:connection",
2020:06:24-18:56:14 remote letsencrypt[11015]: E Renew certificate: COMMAND_FAILED: "detail": "Fetching home.domain.de:8888/.../f5N4JXSzIPv6zPf2hIubAa5yJsS6DzPzjpPMberg1NA: Invalid port in redirect target. Only ports 80 and 443 are supported, not 8888",
2020:06:24-18:56:14 remote letsencrypt[11015]: E Renew certificate: COMMAND_FAILED: "status": 400
2020:06:24-18:56:14 remote letsencrypt[11015]: E Renew certificate: COMMAND_FAILED: },
2020:06:24-18:56:14 remote letsencrypt[11015]: E Renew certificate: COMMAND_FAILED: "url": "acme-v02.api.letsencrypt.org/.../rgAEPg",
2020:06:24-18:56:14 remote letsencrypt[11015]: E Renew certificate: COMMAND_FAILED: "token": "f5N4JXSzIPv6zPf2hIubAa5yJsS6DzPzjpPMberg1NA",
2020:06:24-18:56:14 remote letsencrypt[11015]: E Renew certificate: COMMAND_FAILED: "validationRecord": [
2020:06:24-18:56:14 remote letsencrypt[11015]: E Renew certificate: COMMAND_FAILED: {
2020:06:24-18:56:14 remote letsencrypt[11015]: E Renew certificate: COMMAND_FAILED: "url": "userportal.domain.de/.../f5N4JXSzIPv6zPf2hIubAa5yJsS6DzPzjpPMberg1NA",
2020:06:24-18:56:14 remote letsencrypt[11015]: E Renew certificate: COMMAND_FAILED: "hostname": "userportal.domain.de",
2020:06:24-18:56:14 remote letsencrypt[11015]: E Renew certificate: COMMAND_FAILED: "port": "80",
2020:06:24-18:56:14 remote letsencrypt[11015]: E Renew certificate: COMMAND_FAILED: "addressesResolved": [
2020:06:24-18:56:14 remote letsencrypt[11015]: E Renew certificate: COMMAND_FAILED: "134.255.255.204",
2020:06:24-18:56:14 remote letsencrypt[11015]: E Renew certificate: COMMAND_FAILED: "2a00:1563:2543:300::5cc"
2020:06:24-18:56:14 remote letsencrypt[11015]: E Renew certificate: COMMAND_FAILED: ],
2020:06:24-18:56:14 remote letsencrypt[11015]: E Renew certificate: COMMAND_FAILED: "addressUsed": "2a00:6422:2345:340::5cc"
2020:06:24-18:56:14 remote letsencrypt[11015]: E Renew certificate: COMMAND_FAILED: }
2020:06:24-18:56:14 remote letsencrypt[11015]: E Renew certificate: COMMAND_FAILED: ]
2020:06:24-18:56:14 remote letsencrypt[11015]: E Renew certificate: COMMAND_FAILED: })
2020:06:24-18:56:15 remote letsencrypt[11015]: I Renew certificate: sending notification WARN-603
2020:06:24-18:56:15 remote letsencrypt[11015]: [WARN-603] Let's Encrypt certificate renewal failed accessing Let's Encrypt service
2020:06:24-18:56:15 remote letsencrypt[11015]: I Renew certificate: execution completed (CSRs renewed: 0, failed: 1)
------------------------------------------------------------------------------------


I am running Firmware Version 9.702-1 on a SG115w (Up2Date shows the firmware is up to date and no new available, but I know the 9.703 is out already) and I also rebooted the appliance, too.

Any help would be greatly appreciated!

Thanks in advance!
ipzipzap



This thread was automatically locked due to age.
Parents
  • FormerMember
    0 FormerMember

    Hi ipzipzap,

    Thank you for reaching out to the Community! 

    Do you have country blocking rules configured on the firewall? or DNAT rule configured on the WAN interface? 

    If yes, please disable the county blocking and DNAT rule temporarily and try to renew the Let's Encrypt certificate. 

    Thanks,

  • OK, I just tried and enabled/disabled the country blocking and disabled my two NAT rules (for port 666 and 993), but I am still getting the error

    aborting, failed to acquire an exclusive lock: Resource temporarily unavailable

    Unfortunately I don't have any other ideas.

     

    cu,
    ipzipzap

  • You have IPv6 enabled.

    Afaik UTM still has some problems with renewing LE via IPv6 (at least on my virtual UTM at german hoster Hetzner).

    So try to temporarily disable IPv6 completely (Interfaces & routing -> IPv6), then start a renewal and if successful re-enable IPv6.

    ----------
    Sophos user, admin and reseller.
    Private Setup:

    • XG: HPE DL20 Gen9 (Core i3-7300, 8GB RAM, 120GB SSD) | XG 18.0 (Home License) with: Web Protection, Site-to-Site-VPN (IPSec, RED-Tunnel), Remote Access (SSL, HTML5)
    • UTM: 2 vCPUs, 2GB RAM, 50GB vHDD, 2 vNICs on vServer (KVM) | UTM 9.7 (Home License) with: Email Protection, Webserver Protection, RED-Tunnel (server)
Reply
  • You have IPv6 enabled.

    Afaik UTM still has some problems with renewing LE via IPv6 (at least on my virtual UTM at german hoster Hetzner).

    So try to temporarily disable IPv6 completely (Interfaces & routing -> IPv6), then start a renewal and if successful re-enable IPv6.

    ----------
    Sophos user, admin and reseller.
    Private Setup:

    • XG: HPE DL20 Gen9 (Core i3-7300, 8GB RAM, 120GB SSD) | XG 18.0 (Home License) with: Web Protection, Site-to-Site-VPN (IPSec, RED-Tunnel), Remote Access (SSL, HTML5)
    • UTM: 2 vCPUs, 2GB RAM, 50GB vHDD, 2 vNICs on vServer (KVM) | UTM 9.7 (Home License) with: Email Protection, Webserver Protection, RED-Tunnel (server)
Children