Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 2 subscribers
  • Views 1416 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

[9.705-3] let's encrypt renewal Fails with IPv6

solae

Hi Sophos Community

I'm hosting some websites behind a Virtual Sophos UTM. For SSL I'm using let's encrypt Certificates on the Sophos UTM.

As I have no nativ IPv6, I use the hurricane electric Tunnelbroker feature to get IPv6 Addresses.

Now everytime the certificate renewal process tries to renew the Certificate there is an Error: "[WARN-603] Let's Encrypt certificate renewal failed accessing Let's Encrypt service"

There was a Bug when renewing Let's Encrypt Certificate while Using IPv6: https://community.sophos.com/utm-firewall/f/web-server-security/115242/9-605-1-let-s-encrypt-renewals-fail

But as far as I know this should have been fixed with NUTM-11685: https://community.sophos.com/utm-firewall/b/blog/posts/utm-up2date-9-704-released

Let's Encrypt Logfile Error:

2021:01:16-09:28:02 fw01-stj letsencrypt[20506]: I Renew certificate: handling CSR REF_CaCsrLeWebDomai for domain set [www.domain1.ch,domain1.ch,www.domain2.ch,domain2.ch,www.domain3.ch,domain3.ch,www.domain1.at,domain1.at]
2021:01:16-09:28:02 fw01-stj letsencrypt[20506]: I Renew certificate: running command: /var/storage/chroot-reverseproxy/usr/dehydrated/bin/dehydrated -x -f /var/storage/chroot-reverseproxy/usr/dehydrated/conf/config -c --accept-terms --domain www.domain1.ch --domain domain1.ch --domain www.domain2.ch --domain domain2.ch --domain www.domain3.ch --domain domain3.ch --domain www.domain1.at --domain domain1.at
2021:01:16-09:28:34 fw01-stj letsencrypt[20506]: I Renew certificate: command completed with exit code 256
2021:01:16-09:28:34 fw01-stj letsencrypt[20506]: E Renew certificate: COMMAND_FAILED: ERROR: Challenge is invalid! (returned: invalid) (result: {
2021:01:16-09:28:34 fw01-stj letsencrypt[20506]: E Renew certificate: COMMAND_FAILED:   "type": "http-01",
2021:01:16-09:28:34 fw01-stj letsencrypt[20506]: E Renew certificate: COMMAND_FAILED:   "status": "invalid",
2021:01:16-09:28:34 fw01-stj letsencrypt[20506]: E Renew certificate: COMMAND_FAILED:   "error": {
2021:01:16-09:28:34 fw01-stj letsencrypt[20506]: E Renew certificate: COMMAND_FAILED:     "type": "urn:ietf:params:acme:error:unauthorized",
2021:01:16-09:28:34 fw01-stj letsencrypt[20506]: E Renew certificate: COMMAND_FAILED:     "detail": "Invalid response from https://domain2.ch/.well-known/acme-challenge/SyFc3DOx80zLFl62H_wbpUPSAl75jaP0QknpiIjArP0 [2001:231:12:1f2::2]: \"\u003c!DOCTYPE html PUBLIC \\\"-//W3C//DTD XHTML 1.0 Strict//EN\\\" \\\"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\\\"\u003e\\r\\n\u003chtml xmlns=\\\"http\"",
2021:01:16-09:28:34 fw01-stj letsencrypt[20506]: E Renew certificate: COMMAND_FAILED:     "status": 403
2021:01:16-09:28:34 fw01-stj letsencrypt[20506]: E Renew certificate: COMMAND_FAILED:   },
2021:01:16-09:28:34 fw01-stj letsencrypt[20506]: E Renew certificate: COMMAND_FAILED:   "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/10113343291/KexPkw",
2021:01:16-09:28:34 fw01-stj letsencrypt[20506]: E Renew certificate: COMMAND_FAILED:   "token": "SyFc3DOx80zLFl62H_wbpUPSAl75jaP0QknpiIjArP0",
2021:01:16-09:28:34 fw01-stj letsencrypt[20506]: E Renew certificate: COMMAND_FAILED:   "validationRecord": [
2021:01:16-09:28:34 fw01-stj letsencrypt[20506]: E Renew certificate: COMMAND_FAILED:     {
2021:01:16-09:28:34 fw01-stj letsencrypt[20506]: E Renew certificate: COMMAND_FAILED:       "url": "http://domain2.ch/.well-known/acme-challenge/SyFc3DOx80zLFl62H_wbpUPSAl75jaP0QknpiIjArP0",
2021:01:16-09:28:34 fw01-stj letsencrypt[20506]: E Renew certificate: COMMAND_FAILED:       "hostname": "domain2.ch",
2021:01:16-09:28:34 fw01-stj letsencrypt[20506]: E Renew certificate: COMMAND_FAILED:       "port": "80",
2021:01:16-09:28:34 fw01-stj letsencrypt[20506]: E Renew certificate: COMMAND_FAILED:       "addressesResolved": [
2021:01:16-09:28:34 fw01-stj letsencrypt[20506]: E Renew certificate: COMMAND_FAILED:         "99.43.62.22",
2021:01:16-09:28:34 fw01-stj letsencrypt[20506]: E Renew certificate: COMMAND_FAILED:         "2001:231:12:1f2::2"
2021:01:16-09:28:34 fw01-stj letsencrypt[20506]: E Renew certificate: COMMAND_FAILED:       ],
2021:01:16-09:28:34 fw01-stj letsencrypt[20506]: E Renew certificate: COMMAND_FAILED:       "addressUsed": "2001:231:12:1f2::2"
2021:01:16-09:28:34 fw01-stj letsencrypt[20506]: E Renew certificate: COMMAND_FAILED:     },
2021:01:16-09:28:34 fw01-stj letsencrypt[20506]: E Renew certificate: COMMAND_FAILED:     {
2021:01:16-09:28:34 fw01-stj letsencrypt[20506]: E Renew certificate: COMMAND_FAILED:       "url": "https://domain2.ch/.well-known/acme-challenge/SyFc3DOx80zLFl62H_wbpUPSAl75jaP0QknpiIjArP0",
2021:01:16-09:28:34 fw01-stj letsencrypt[20506]: E Renew certificate: COMMAND_FAILED:       "hostname": "domain2.ch",
2021:01:16-09:28:34 fw01-stj letsencrypt[20506]: E Renew certificate: COMMAND_FAILED:       "port": "443",
2021:01:16-09:28:34 fw01-stj letsencrypt[20506]: E Renew certificate: COMMAND_FAILED:       "addressesResolved": [
2021:01:16-09:28:34 fw01-stj letsencrypt[20506]: E Renew certificate: COMMAND_FAILED:         "99.43.62.22",
2021:01:16-09:28:34 fw01-stj letsencrypt[20506]: E Renew certificate: COMMAND_FAILED:         "2001:231:12:1f2::2"
2021:01:16-09:28:34 fw01-stj letsencrypt[20506]: E Renew certificate: COMMAND_FAILED:       ],
2021:01:16-09:28:34 fw01-stj letsencrypt[20506]: E Renew certificate: COMMAND_FAILED:       "addressUsed": "2001:231:12:1f2::2"
2021:01:16-09:28:34 fw01-stj letsencrypt[20506]: E Renew certificate: COMMAND_FAILED:     }
2021:01:16-09:28:34 fw01-stj letsencrypt[20506]: E Renew certificate: COMMAND_FAILED:   ]
2021:01:16-09:28:34 fw01-stj letsencrypt[20506]: E Renew certificate: COMMAND_FAILED: })
2021:01:16-09:28:34 fw01-stj letsencrypt[20506]: I Renew certificate: sending notification WARN-603
2021:01:16-09:28:34 fw01-stj letsencrypt[20506]: [WARN-603] Let's Encrypt certificate renewal failed accessing Let's Encrypt service
2021:01:16-09:28:34 fw01-stj letsencrypt[20506]: I Renew certificate: execution completed (CSRs renewed: 0, failed: 1)

WAF Logfile Error:

2021:01:16-09:28:25 fw01-stj httpd: id="0299" srcip="2a05:d014:3ad:700:b22c:ca2c:7496:bfa" localip="2001:231:12:1f2::2" size="190" user="-" host="2a05:d014:3ad:700:b22c:ca2c:7496:bfa" method="GET" statuscode="301" reason="-" extra="-" exceptions="-" time="3591" url="/.well-known/acme-challenge/SyFc3DOx80zLFl62H_wbpUPSAl75jaP0QknpiIjArP0" server="domain3.ch" port="80" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="YAKjqR9bIFeVJHSGkmDy7AAAAAA"
2021:01:16-09:28:25 fw01-stj httpd: id="0299" srcip="2600:1f14:804:fd01:fe4e:58be:b99:bad8" localip="2001:231:12:1f2::2" size="190" user="-" host="2600:1f14:804:fd01:fe4e:58be:b99:bad8" method="GET" statuscode="301" reason="-" extra="-" exceptions="-" time="1847" url="/.well-known/acme-challenge/SyFc3DOx80zLFl62H_wbpUPSAl75jaP0QknpiIjArP0" server="domain3.ch" port="80" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="YAKjqR9bIFeVJHSGkmDy7QAAAAM"
2021:01:16-09:28:25 fw01-stj httpd: id="0299" srcip="2a05:d014:3ad:700:b22c:ca2c:7496:bfa" localip="2001:231:12:1f2::2" size="675" user="-" host="2a05:d014:3ad:700:b22c:ca2c:7496:bfa" method="GET" statuscode="404" reason="-" extra="-" exceptions="-" time="8397" url="/.well-known/acme-challenge/SyFc3DOx80zLFl62H_wbpUPSAl75jaP0QknpiIjArP0" server="domain3.ch" port="443" query="" referer="http://domain3.ch/.well-known/acme-challenge/SyFc3DOx80zLFl62H_wbpUPSAl75jaP0QknpiIjArP0" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="YAKjqR9bIFeVJHSGkmDy7gAAAAI"
2021:01:16-09:28:26 fw01-stj httpd: id="0299" srcip="2600:1f16:269:da01:367:cea2:153a:d5c8" localip="2001:231:12:1f2::2" size="190" user="-" host="2600:1f16:269:da01:367:cea2:153a:d5c8" method="GET" statuscode="301" reason="-" extra="-" exceptions="-" time="1234" url="/.well-known/acme-challenge/SyFc3DOx80zLFl62H_wbpUPSAl75jaP0QknpiIjArP0" server="domain3.ch" port="80" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="YAKjqh9bIFeVJHSGkmDy7wAAAAQ"
2021:01:16-09:28:26 fw01-stj httpd: id="0299" srcip="2600:1f16:269:da01:367:cea2:153a:d5c8" localip="2001:231:12:1f2::2" size="675" user="-" host="2600:1f16:269:da01:367:cea2:153a:d5c8" method="GET" statuscode="404" reason="-" extra="-" exceptions="-" time="11340" url="/.well-known/acme-challenge/SyFc3DOx80zLFl62H_wbpUPSAl75jaP0QknpiIjArP0" server="domain3.ch" port="443" query="" referer="http://domain3.ch/.well-known/acme-challenge/SyFc3DOx80zLFl62H_wbpUPSAl75jaP0QknpiIjArP0" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="YAKjqh9bIFeVJHSGkmDy8AAAAAY"
2021:01:16-09:28:26 fw01-stj httpd: id="0299" srcip="2600:1f14:804:fd01:fe4e:58be:b99:bad8" localip="2001:231:12:1f2::2" size="675" user="-" host="2600:1f14:804:fd01:fe4e:58be:b99:bad8" method="GET" statuscode="404" reason="-" extra="-" exceptions="-" time="9879" url="/.well-known/acme-challenge/SyFc3DOx80zLFl62H_wbpUPSAl75jaP0QknpiIjArP0" server="domain3.ch" port="443" query="" referer="http://domain3.ch/.well-known/acme-challenge/SyFc3DOx80zLFl62H_wbpUPSAl75jaP0QknpiIjArP0" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="YAKjqh9bIFeVJHSGkmDy8QAAAAU"
2021:01:16-09:28:33 fw01-stj httpd: id="0299" srcip="2600:3000:2710:200::1f" localip="2001:231:12:1f2::2" size="190" user="-" host="2600:3000:2710:200::1f" method="GET" statuscode="301" reason="-" extra="-" exceptions="-" time="1294" url="/.well-known/acme-challenge/SyFc3DOx80zLFl62H_wbpUPSAl75jaP0QknpiIjArP0" server="domain3.ch" port="80" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="YAKjsR9bIFeVJHSGkmDy9AAAAAk"
2021:01:16-09:28:34 fw01-stj httpd: id="0299" srcip="2600:3000:2710:200::1f" localip="2001:231:12:1f2::2" size="675" user="-" host="2600:3000:2710:200::1f" method="GET" statuscode="404" reason="-" extra="-" exceptions="-" time="8348" url="/.well-known/acme-challenge/SyFc3DOx80zLFl62H_wbpUPSAl75jaP0QknpiIjArP0" server="domain3.ch" port="443" query="" referer="http://domain3.ch/.well-known/acme-challenge/SyFc3DOx80zLFl62H_wbpUPSAl75jaP0QknpiIjArP0" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="YAKjsh9bIFeVJHSGkmDy9QAAAAo"
2021:01:16-09:28:34 fw01-stj httpd[21816]: Restarting gracefully
2021:01:16-09:28:35 fw01-stj httpd[21822]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroAp01gos] does not exist
2021:01:16-09:28:35 fw01-stj httpd[21822]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroBackup01st] does not exist
2021:01:16-09:28:35 fw01-stj httpd[21822]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroFibarHc2Https] does not exist
2021:01:16-09:28:35 fw01-stj httpd[21822]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFrodomainWebsi] does not exist
2021:01:16-09:28:35 fw01-stj httpd[21822]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFrodomainWebsiIpv6] does not exist
2021:01:16-09:28:35 fw01-stj httpd[21822]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroTransfer] does not exist
2021:01:16-09:28:35 fw01-stj httpd[21822]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroUnifiContr] does not exist
2021:01:16-09:28:35 fw01-stj httpd[21822]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroWebsiAtIpv4] does not exist
2021:01:16-09:28:35 fw01-stj httpd[21822]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroWebsiAtIpv42] does not exist
2021:01:16-09:28:35 fw01-stj httpd[21822]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroWebsiAtIpv6] does not exist
2021:01:16-09:28:35 fw01-stj httpd[21822]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroWebsiAtIpv62] does not exist
2021:01:16-09:28:35 fw01-stj httpd[21822]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroWebsiChIpv4] does not exist
2021:01:16-09:28:35 fw01-stj httpd[21822]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroWebsiChIpv6] does not exist
2021:01:16-09:28:35 fw01-stj httpd[21822]: Syntax OK
2021:01:16-09:28:35 fw01-stj httpd: id="0299" srcip="127.0.0.1" localip="127.0.0.1" size="44495" user="-" host="127.0.0.1" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="1064" url="/status" server="localhost:4080" port="80" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="YAKjsx9bIFeVJHSGkmDy@AAAAA0"
2021:01:16-09:28:35 fw01-stj httpd[21852]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroAp01gos] does not exist
2021:01:16-09:28:35 fw01-stj httpd[21852]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroBackup01st] does not exist
2021:01:16-09:28:35 fw01-stj httpd[21852]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroFibarHc2Https] does not exist
2021:01:16-09:28:35 fw01-stj httpd[21852]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFrodimainWebsi] does not exist
2021:01:16-09:28:35 fw01-stj httpd[21852]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFrodomainWebsiIpv6] does not exist
2021:01:16-09:28:35 fw01-stj httpd[21852]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroTransfer] does not exist
2021:01:16-09:28:35 fw01-stj httpd[21852]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroUnifiContr] does not exist
2021:01:16-09:28:35 fw01-stj httpd[21852]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroWebsiAtIpv4] does not exist
2021:01:16-09:28:35 fw01-stj httpd[21852]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroWebsiAtIpv42] does not exist
2021:01:16-09:28:35 fw01-stj httpd[21852]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroWebsiAtIpv6] does not exist
2021:01:16-09:28:35 fw01-stj httpd[21852]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroWebsiAtIpv62] does not exist
2021:01:16-09:28:35 fw01-stj httpd[21852]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroWebsiChIpv4] does not exist
2021:01:16-09:28:35 fw01-stj httpd[21852]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroWebsiChIpv6] does not exist
2021:01:16-09:28:35 fw01-stj httpd[6771]: [mpm_worker:notice] [pid 6771:tid 4148016832] AH00297: SIGUSR1 received.  Doing graceful restart
2021:01:16-09:28:35 fw01-stj httpd[6771]: [remoteip:notice] [pid 6771:tid 4148016832] AH03494: RemoteIPProxyProtocol: disabled on 127.0.0.1:4080
2021:01:16-09:28:35 fw01-stj httpd[6771]: [mpm_worker:notice] [pid 6771:tid 4148016832] AH00292: Apache/2.4.39 (Unix) OpenSSL/1.0.2j-fips configured -- resuming normal operations
2021:01:16-09:28:35 fw01-stj httpd[6771]: [core:notice] [pid 6771:tid 4148016832] AH00094: Command line: '/usr/apache/bin/httpd'
2021:01:16-09:28:35 fw01-stj httpd[6771]: [mpm_worker:warn] [pid 6771:tid 4148016832] AH00291: long lost child came home! (pid 20162)
2021:01:16-09:28:35 fw01-stj httpd: id="0299" srcip="127.0.0.1" localip="127.0.0.1" size="44359" user="-" host="127.0.0.1" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="947" url="/status" server="localhost:4080" port="80" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="YAKjs2cyZZw4CjUQpDklCwAAAAw"
2021:01:16-09:28:35 fw01-stj httpd[21915]: Restarted

The Certificate renewal does work without any problem as soon as i turn off the IPv6 Virtual Servers.

I do not use the "HTTPS & Redirect" feature of the WAF but the underlying IIS is redirecting HTTP to HTTPS with a URL Rewrite Rule.

As far as i can see there is a redirection in the WAF Logfile (HTTP 301), but shouldn't the ACME-Challange even be captured from the UTM before sending it to the real-server? Is there anything wrong?

Virtual Server-Settings (only 4 of 8 Servers):

Real Server Settings (all Servers):

Thank you,

Michael

PS: For Privacy, the Domain-Names und IP Addresses have been anonymized/changed in the Logfile.



This thread was automatically locked due to age.
  • FormerMember
    0 FormerMember

    Hi ,

    Thank you for reaching out to the Community! 

    Did you configure Country blocking on your firewall? If yes, try to turn it off for a few minutes and try to renew the certificate. 

    Thanks,

  • 0 in reply to FormerMember

    Hi Harsh

    i do not use Country Blocking, it is completly off.

    Regards,

    Michael

  • FormerMember
    0 FormerMember in reply to solae

    Hi ,

    Do you have any DNAT rule for HTTP or HTTPS configured on the external interface of your UTM? If yes, try to turn it off for a few minutes and try to renew the certificate. 

    Thanks,

  • 0 in reply to FormerMember

    Hi Harsh

    Thank you for your question.

    No DNAT Rules for HTTP (80) or HTTPS (443).

    Looking at the WAF Log, as the request to check the ACME-Challange is comming through i think there is something wrong in the UTM which should take that connection and reply with the correct challange instead of passing it through the WAF, isn‘t it?

    Regards,

    Michael

  • 0 in reply to solae

    As soon as i disable the IPv6 virtual Hosts, the regeneration works. Here a snippet of the WAF Logfile:

    2021:01:16-09:33:02 fw01-stj httpd: id="0299" srcip="18.196.96.172" localip="99.43.62.22" size="107" user="-" host="18.196.96.172" method="GET" statuscode="200" reason="-" extra="-" exceptions="SkipBlacklistDNSRBL, SkipBlacklistGeoIP, SkipAntiVirus, SkipTFT, SkipURLHardening, SkipThreatsFilter" time="652" url="/.well-known/acme-challenge/-cXuQcxz3k1Rf3TtTHpfWt04wlSMwuapZ-sXJIAVh7w" server="www.domain1.ch" port="80" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="YAKkvnXH60Rg0ufMt9gCdwAAAB8"
2021:01:16-09:33:02 fw01-stj httpd: id="0299" srcip="3.128.26.105" localip="99.43.62.22" size="107" user="-" host="3.128.26.105" method="GET" statuscode="200" reason="-" extra="-" exceptions="SkipBlacklistDNSRBL, SkipBlacklistGeoIP, SkipAntiVirus, SkipTFT, SkipURLHardening, SkipThreatsFilter" time="265" url="/.well-known/acme-challenge/-cXuQcxz3k1Rf3TtTHpfWt04wlSMwuapZ-sXJIAVh7w" server="www.domain1.ch" port="80" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="YAKkvnXH60Rg0ufMt9gCeAAAACA"
2021:01:16-09:33:02 fw01-stj httpd: id="0299" srcip="34.211.6.84" localip="99.43.62.22" size="107" user="-" host="34.211.6.84" method="GET" statuscode="200" reason="-" extra="-" exceptions="SkipBlacklistDNSRBL, SkipBlacklistGeoIP, SkipAntiVirus, SkipTFT, SkipURLHardening, SkipThreatsFilter" time="310" url="/.well-known/acme-challenge/-cXuQcxz3k1Rf3TtTHpfWt04wlSMwuapZ-sXJIAVh7w" server="www.domain1.ch" port="80" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="YAKkvnXH60Rg0ufMt9gCeQAAACE"
2021:01:16-09:33:02 fw01-stj httpd: id="0299" srcip="64.78.149.164" localip="99.43.62.22" size="107" user="-" host="64.78.149.164" method="GET" statuscode="200" reason="-" extra="-" exceptions="SkipBlacklistDNSRBL, SkipBlacklistGeoIP, SkipAntiVirus, SkipTFT, SkipURLHardening, SkipThreatsFilter" time="283" url="/.well-known/acme-challenge/-cXuQcxz3k1Rf3TtTHpfWt04wlSMwuapZ-sXJIAVh7w" server="www.domain1.ch" port="80" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="YAKkvnXH60Rg0ufMt9gCegAAACI"
2021:01:16-09:33:16 fw01-stj httpd: id="0299" srcip="52.28.236.88" localip="99.43.62.22" size="107" user="-" host="52.28.236.88" method="GET" statuscode="200" reason="-" extra="-" exceptions="SkipBlacklistDNSRBL, SkipBlacklistGeoIP, SkipAntiVirus, SkipTFT, SkipURLHardening, SkipThreatsFilter" time="931" url="/.well-known/acme-challenge/XTMU-461Lv6FKDp_ZuiiYiKpP3eQTsUQCwkdyzAjTxk" server="domain2.ch" port="80" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="YAKkzHXH60Rg0ufMt9gCewAAACM"
2021:01:16-09:33:16 fw01-stj httpd: id="0299" srcip="3.22.70.135" localip="99.43.62.22" size="107" user="-" host="3.22.70.135" method="GET" statuscode="200" reason="-" extra="-" exceptions="SkipBlacklistDNSRBL, SkipBlacklistGeoIP, SkipAntiVirus, SkipTFT, SkipURLHardening, SkipThreatsFilter" time="305" url="/.well-known/acme-challenge/XTMU-461Lv6FKDp_ZuiiYiKpP3eQTsUQCwkdyzAjTxk" server="domain2.ch" port="80" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="YAKkzHXH60Rg0ufMt9gCfAAAACQ"
2021:01:16-09:33:16 fw01-stj httpd: id="0299" srcip="34.209.232.166" localip="99.43.62.22" size="107" user="-" host="34.209.232.166" method="GET" statuscode="200" reason="-" extra="-" exceptions="SkipBlacklistDNSRBL, SkipBlacklistGeoIP, SkipAntiVirus, SkipTFT, SkipURLHardening, SkipThreatsFilter" time="265" url="/.well-known/acme-challenge/XTMU-461Lv6FKDp_ZuiiYiKpP3eQTsUQCwkdyzAjTxk" server="domain2.ch" port="80" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="YAKkzHXH60Rg0ufMt9gCfQAAACU"
2021:01:16-09:33:16 fw01-stj httpd: id="0299" srcip="66.133.109.36" localip="99.43.62.22" size="107" user="-" host="66.133.109.36" method="GET" statuscode="200" reason="-" extra="-" exceptions="SkipBlacklistDNSRBL, SkipBlacklistGeoIP, SkipAntiVirus, SkipTFT, SkipURLHardening, SkipThreatsFilter" time="243" url="/.well-known/acme-challenge/XTMU-461Lv6FKDp_ZuiiYiKpP3eQTsUQCwkdyzAjTxk" server="domain2.ch" port="80" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="YAKkzHXH60Rg0ufMt9gCfgAAACY"

    As visible in the Logs above, the WAF (UTM Webserver?) responds with "HTTP 200".

    With IPv6 activated the underlying IIS (i think) responds with 301, as there is a HTTP to HTTPS redirection enabled. But this redirection is also configured for IPv4 because it's the same real-Server (IIS), so why does the ACME-Challenge work with IPv4 (HTTP 200) but not with IPv6 (HTTP 301 and HTTP 404 after that)?

Unfiltered HTML