[9.705-3] let's encrypt renewal Fails with IPv6

Hi Sophos Community

I'm hosting some websites behind a Virtual Sophos UTM. For SSL I'm using let's encrypt Certificates on the Sophos UTM.

As I have no nativ IPv6, I use the hurricane electric Tunnelbroker feature to get IPv6 Addresses.

Now everytime the certificate renewal process tries to renew the Certificate there is an Error: "[WARN-603] Let's Encrypt certificate renewal failed accessing Let's Encrypt service"

There was a Bug when renewing Let's Encrypt Certificate while Using IPv6: https://community.sophos.com/utm-firewall/f/web-server-security/115242/9-605-1-let-s-encrypt-renewals-fail

But as far as I know this should have been fixed with NUTM-11685: https://community.sophos.com/utm-firewall/b/blog/posts/utm-up2date-9-704-released

Let's Encrypt Logfile Error:

2021:01:16-09:28:02 fw01-stj letsencrypt[20506]: I Renew certificate: handling CSR REF_CaCsrLeWebDomai for domain set [www.domain1.ch,domain1.ch,www.domain2.ch,domain2.ch,www.domain3.ch,domain3.ch,www.domain1.at,domain1.at]
2021:01:16-09:28:02 fw01-stj letsencrypt[20506]: I Renew certificate: running command: /var/storage/chroot-reverseproxy/usr/dehydrated/bin/dehydrated -x -f /var/storage/chroot-reverseproxy/usr/dehydrated/conf/config -c --accept-terms --domain www.domain1.ch --domain domain1.ch --domain www.domain2.ch --domain domain2.ch --domain www.domain3.ch --domain domain3.ch --domain www.domain1.at --domain domain1.at
2021:01:16-09:28:34 fw01-stj letsencrypt[20506]: I Renew certificate: command completed with exit code 256
2021:01:16-09:28:34 fw01-stj letsencrypt[20506]: E Renew certificate: COMMAND_FAILED: ERROR: Challenge is invalid! (returned: invalid) (result: {
2021:01:16-09:28:34 fw01-stj letsencrypt[20506]: E Renew certificate: COMMAND_FAILED:   "type": "http-01",
2021:01:16-09:28:34 fw01-stj letsencrypt[20506]: E Renew certificate: COMMAND_FAILED:   "status": "invalid",
2021:01:16-09:28:34 fw01-stj letsencrypt[20506]: E Renew certificate: COMMAND_FAILED:   "error": {
2021:01:16-09:28:34 fw01-stj letsencrypt[20506]: E Renew certificate: COMMAND_FAILED:     "type": "urn:ietf:params:acme:error:unauthorized",
2021:01:16-09:28:34 fw01-stj letsencrypt[20506]: E Renew certificate: COMMAND_FAILED:     "detail": "Invalid response from https://domain2.ch/.well-known/acme-challenge/SyFc3DOx80zLFl62H_wbpUPSAl75jaP0QknpiIjArP0 [2001:231:12:1f2::2]: \"\u003c!DOCTYPE html PUBLIC \\\"-//W3C//DTD XHTML 1.0 Strict//EN\\\" \\\"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\\\"\u003e\\r\\n\u003chtml xmlns=\\\"http\"",
2021:01:16-09:28:34 fw01-stj letsencrypt[20506]: E Renew certificate: COMMAND_FAILED:     "status": 403
2021:01:16-09:28:34 fw01-stj letsencrypt[20506]: E Renew certificate: COMMAND_FAILED:   },
2021:01:16-09:28:34 fw01-stj letsencrypt[20506]: E Renew certificate: COMMAND_FAILED:   "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/10113343291/KexPkw",
2021:01:16-09:28:34 fw01-stj letsencrypt[20506]: E Renew certificate: COMMAND_FAILED:   "token": "SyFc3DOx80zLFl62H_wbpUPSAl75jaP0QknpiIjArP0",
2021:01:16-09:28:34 fw01-stj letsencrypt[20506]: E Renew certificate: COMMAND_FAILED:   "validationRecord": [
2021:01:16-09:28:34 fw01-stj letsencrypt[20506]: E Renew certificate: COMMAND_FAILED:     {
2021:01:16-09:28:34 fw01-stj letsencrypt[20506]: E Renew certificate: COMMAND_FAILED:       "url": "http://domain2.ch/.well-known/acme-challenge/SyFc3DOx80zLFl62H_wbpUPSAl75jaP0QknpiIjArP0",
2021:01:16-09:28:34 fw01-stj letsencrypt[20506]: E Renew certificate: COMMAND_FAILED:       "hostname": "domain2.ch",
2021:01:16-09:28:34 fw01-stj letsencrypt[20506]: E Renew certificate: COMMAND_FAILED:       "port": "80",
2021:01:16-09:28:34 fw01-stj letsencrypt[20506]: E Renew certificate: COMMAND_FAILED:       "addressesResolved": [
2021:01:16-09:28:34 fw01-stj letsencrypt[20506]: E Renew certificate: COMMAND_FAILED:         "99.43.62.22",
2021:01:16-09:28:34 fw01-stj letsencrypt[20506]: E Renew certificate: COMMAND_FAILED:         "2001:231:12:1f2::2"
2021:01:16-09:28:34 fw01-stj letsencrypt[20506]: E Renew certificate: COMMAND_FAILED:       ],
2021:01:16-09:28:34 fw01-stj letsencrypt[20506]: E Renew certificate: COMMAND_FAILED:       "addressUsed": "2001:231:12:1f2::2"
2021:01:16-09:28:34 fw01-stj letsencrypt[20506]: E Renew certificate: COMMAND_FAILED:     },
2021:01:16-09:28:34 fw01-stj letsencrypt[20506]: E Renew certificate: COMMAND_FAILED:     {
2021:01:16-09:28:34 fw01-stj letsencrypt[20506]: E Renew certificate: COMMAND_FAILED:       "url": "https://domain2.ch/.well-known/acme-challenge/SyFc3DOx80zLFl62H_wbpUPSAl75jaP0QknpiIjArP0",
2021:01:16-09:28:34 fw01-stj letsencrypt[20506]: E Renew certificate: COMMAND_FAILED:       "hostname": "domain2.ch",
2021:01:16-09:28:34 fw01-stj letsencrypt[20506]: E Renew certificate: COMMAND_FAILED:       "port": "443",
2021:01:16-09:28:34 fw01-stj letsencrypt[20506]: E Renew certificate: COMMAND_FAILED:       "addressesResolved": [
2021:01:16-09:28:34 fw01-stj letsencrypt[20506]: E Renew certificate: COMMAND_FAILED:         "99.43.62.22",
2021:01:16-09:28:34 fw01-stj letsencrypt[20506]: E Renew certificate: COMMAND_FAILED:         "2001:231:12:1f2::2"
2021:01:16-09:28:34 fw01-stj letsencrypt[20506]: E Renew certificate: COMMAND_FAILED:       ],
2021:01:16-09:28:34 fw01-stj letsencrypt[20506]: E Renew certificate: COMMAND_FAILED:       "addressUsed": "2001:231:12:1f2::2"
2021:01:16-09:28:34 fw01-stj letsencrypt[20506]: E Renew certificate: COMMAND_FAILED:     }
2021:01:16-09:28:34 fw01-stj letsencrypt[20506]: E Renew certificate: COMMAND_FAILED:   ]
2021:01:16-09:28:34 fw01-stj letsencrypt[20506]: E Renew certificate: COMMAND_FAILED: })
2021:01:16-09:28:34 fw01-stj letsencrypt[20506]: I Renew certificate: sending notification WARN-603
2021:01:16-09:28:34 fw01-stj letsencrypt[20506]: [WARN-603] Let's Encrypt certificate renewal failed accessing Let's Encrypt service
2021:01:16-09:28:34 fw01-stj letsencrypt[20506]: I Renew certificate: execution completed (CSRs renewed: 0, failed: 1)

WAF Logfile Error:

2021:01:16-09:28:25 fw01-stj httpd: id="0299" srcip="2a05:d014:3ad:700:b22c:ca2c:7496:bfa" localip="2001:231:12:1f2::2" size="190" user="-" host="2a05:d014:3ad:700:b22c:ca2c:7496:bfa" method="GET" statuscode="301" reason="-" extra="-" exceptions="-" time="3591" url="/.well-known/acme-challenge/SyFc3DOx80zLFl62H_wbpUPSAl75jaP0QknpiIjArP0" server="domain3.ch" port="80" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="YAKjqR9bIFeVJHSGkmDy7AAAAAA"
2021:01:16-09:28:25 fw01-stj httpd: id="0299" srcip="2600:1f14:804:fd01:fe4e:58be:b99:bad8" localip="2001:231:12:1f2::2" size="190" user="-" host="2600:1f14:804:fd01:fe4e:58be:b99:bad8" method="GET" statuscode="301" reason="-" extra="-" exceptions="-" time="1847" url="/.well-known/acme-challenge/SyFc3DOx80zLFl62H_wbpUPSAl75jaP0QknpiIjArP0" server="domain3.ch" port="80" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="YAKjqR9bIFeVJHSGkmDy7QAAAAM"
2021:01:16-09:28:25 fw01-stj httpd: id="0299" srcip="2a05:d014:3ad:700:b22c:ca2c:7496:bfa" localip="2001:231:12:1f2::2" size="675" user="-" host="2a05:d014:3ad:700:b22c:ca2c:7496:bfa" method="GET" statuscode="404" reason="-" extra="-" exceptions="-" time="8397" url="/.well-known/acme-challenge/SyFc3DOx80zLFl62H_wbpUPSAl75jaP0QknpiIjArP0" server="domain3.ch" port="443" query="" referer="http://domain3.ch/.well-known/acme-challenge/SyFc3DOx80zLFl62H_wbpUPSAl75jaP0QknpiIjArP0" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="YAKjqR9bIFeVJHSGkmDy7gAAAAI"
2021:01:16-09:28:26 fw01-stj httpd: id="0299" srcip="2600:1f16:269:da01:367:cea2:153a:d5c8" localip="2001:231:12:1f2::2" size="190" user="-" host="2600:1f16:269:da01:367:cea2:153a:d5c8" method="GET" statuscode="301" reason="-" extra="-" exceptions="-" time="1234" url="/.well-known/acme-challenge/SyFc3DOx80zLFl62H_wbpUPSAl75jaP0QknpiIjArP0" server="domain3.ch" port="80" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="YAKjqh9bIFeVJHSGkmDy7wAAAAQ"
2021:01:16-09:28:26 fw01-stj httpd: id="0299" srcip="2600:1f16:269:da01:367:cea2:153a:d5c8" localip="2001:231:12:1f2::2" size="675" user="-" host="2600:1f16:269:da01:367:cea2:153a:d5c8" method="GET" statuscode="404" reason="-" extra="-" exceptions="-" time="11340" url="/.well-known/acme-challenge/SyFc3DOx80zLFl62H_wbpUPSAl75jaP0QknpiIjArP0" server="domain3.ch" port="443" query="" referer="http://domain3.ch/.well-known/acme-challenge/SyFc3DOx80zLFl62H_wbpUPSAl75jaP0QknpiIjArP0" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="YAKjqh9bIFeVJHSGkmDy8AAAAAY"
2021:01:16-09:28:26 fw01-stj httpd: id="0299" srcip="2600:1f14:804:fd01:fe4e:58be:b99:bad8" localip="2001:231:12:1f2::2" size="675" user="-" host="2600:1f14:804:fd01:fe4e:58be:b99:bad8" method="GET" statuscode="404" reason="-" extra="-" exceptions="-" time="9879" url="/.well-known/acme-challenge/SyFc3DOx80zLFl62H_wbpUPSAl75jaP0QknpiIjArP0" server="domain3.ch" port="443" query="" referer="http://domain3.ch/.well-known/acme-challenge/SyFc3DOx80zLFl62H_wbpUPSAl75jaP0QknpiIjArP0" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="YAKjqh9bIFeVJHSGkmDy8QAAAAU"
2021:01:16-09:28:33 fw01-stj httpd: id="0299" srcip="2600:3000:2710:200::1f" localip="2001:231:12:1f2::2" size="190" user="-" host="2600:3000:2710:200::1f" method="GET" statuscode="301" reason="-" extra="-" exceptions="-" time="1294" url="/.well-known/acme-challenge/SyFc3DOx80zLFl62H_wbpUPSAl75jaP0QknpiIjArP0" server="domain3.ch" port="80" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="YAKjsR9bIFeVJHSGkmDy9AAAAAk"
2021:01:16-09:28:34 fw01-stj httpd: id="0299" srcip="2600:3000:2710:200::1f" localip="2001:231:12:1f2::2" size="675" user="-" host="2600:3000:2710:200::1f" method="GET" statuscode="404" reason="-" extra="-" exceptions="-" time="8348" url="/.well-known/acme-challenge/SyFc3DOx80zLFl62H_wbpUPSAl75jaP0QknpiIjArP0" server="domain3.ch" port="443" query="" referer="http://domain3.ch/.well-known/acme-challenge/SyFc3DOx80zLFl62H_wbpUPSAl75jaP0QknpiIjArP0" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="YAKjsh9bIFeVJHSGkmDy9QAAAAo"
2021:01:16-09:28:34 fw01-stj httpd[21816]: Restarting gracefully
2021:01:16-09:28:35 fw01-stj httpd[21822]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroAp01gos] does not exist
2021:01:16-09:28:35 fw01-stj httpd[21822]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroBackup01st] does not exist
2021:01:16-09:28:35 fw01-stj httpd[21822]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroFibarHc2Https] does not exist
2021:01:16-09:28:35 fw01-stj httpd[21822]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFrodomainWebsi] does not exist
2021:01:16-09:28:35 fw01-stj httpd[21822]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFrodomainWebsiIpv6] does not exist
2021:01:16-09:28:35 fw01-stj httpd[21822]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroTransfer] does not exist
2021:01:16-09:28:35 fw01-stj httpd[21822]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroUnifiContr] does not exist
2021:01:16-09:28:35 fw01-stj httpd[21822]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroWebsiAtIpv4] does not exist
2021:01:16-09:28:35 fw01-stj httpd[21822]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroWebsiAtIpv42] does not exist
2021:01:16-09:28:35 fw01-stj httpd[21822]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroWebsiAtIpv6] does not exist
2021:01:16-09:28:35 fw01-stj httpd[21822]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroWebsiAtIpv62] does not exist
2021:01:16-09:28:35 fw01-stj httpd[21822]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroWebsiChIpv4] does not exist
2021:01:16-09:28:35 fw01-stj httpd[21822]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroWebsiChIpv6] does not exist
2021:01:16-09:28:35 fw01-stj httpd[21822]: Syntax OK
2021:01:16-09:28:35 fw01-stj httpd: id="0299" srcip="127.0.0.1" localip="127.0.0.1" size="44495" user="-" host="127.0.0.1" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="1064" url="/status" server="localhost:4080" port="80" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="YAKjsx9bIFeVJHSGkmDy@AAAAA0"
2021:01:16-09:28:35 fw01-stj httpd[21852]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroAp01gos] does not exist
2021:01:16-09:28:35 fw01-stj httpd[21852]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroBackup01st] does not exist
2021:01:16-09:28:35 fw01-stj httpd[21852]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroFibarHc2Https] does not exist
2021:01:16-09:28:35 fw01-stj httpd[21852]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFrodimainWebsi] does not exist
2021:01:16-09:28:35 fw01-stj httpd[21852]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFrodomainWebsiIpv6] does not exist
2021:01:16-09:28:35 fw01-stj httpd[21852]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroTransfer] does not exist
2021:01:16-09:28:35 fw01-stj httpd[21852]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroUnifiContr] does not exist
2021:01:16-09:28:35 fw01-stj httpd[21852]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroWebsiAtIpv4] does not exist
2021:01:16-09:28:35 fw01-stj httpd[21852]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroWebsiAtIpv42] does not exist
2021:01:16-09:28:35 fw01-stj httpd[21852]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroWebsiAtIpv6] does not exist
2021:01:16-09:28:35 fw01-stj httpd[21852]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroWebsiAtIpv62] does not exist
2021:01:16-09:28:35 fw01-stj httpd[21852]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroWebsiChIpv4] does not exist
2021:01:16-09:28:35 fw01-stj httpd[21852]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroWebsiChIpv6] does not exist
2021:01:16-09:28:35 fw01-stj httpd[6771]: [mpm_worker:notice] [pid 6771:tid 4148016832] AH00297: SIGUSR1 received.  Doing graceful restart
2021:01:16-09:28:35 fw01-stj httpd[6771]: [remoteip:notice] [pid 6771:tid 4148016832] AH03494: RemoteIPProxyProtocol: disabled on 127.0.0.1:4080
2021:01:16-09:28:35 fw01-stj httpd[6771]: [mpm_worker:notice] [pid 6771:tid 4148016832] AH00292: Apache/2.4.39 (Unix) OpenSSL/1.0.2j-fips configured -- resuming normal operations
2021:01:16-09:28:35 fw01-stj httpd[6771]: [core:notice] [pid 6771:tid 4148016832] AH00094: Command line: '/usr/apache/bin/httpd'
2021:01:16-09:28:35 fw01-stj httpd[6771]: [mpm_worker:warn] [pid 6771:tid 4148016832] AH00291: long lost child came home! (pid 20162)
2021:01:16-09:28:35 fw01-stj httpd: id="0299" srcip="127.0.0.1" localip="127.0.0.1" size="44359" user="-" host="127.0.0.1" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="947" url="/status" server="localhost:4080" port="80" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="YAKjs2cyZZw4CjUQpDklCwAAAAw"
2021:01:16-09:28:35 fw01-stj httpd[21915]: Restarted

The Certificate renewal does work without any problem as soon as i turn off the IPv6 Virtual Servers.

I do not use the "HTTPS & Redirect" feature of the WAF but the underlying IIS is redirecting HTTP to HTTPS with a URL Rewrite Rule.

As far as i can see there is a redirection in the WAF Logfile (HTTP 301), but shouldn't the ACME-Challange even be captured from the UTM before sending it to the real-server? Is there anything wrong?

Virtual Server-Settings (only 4 of 8 Servers):

Real Server Settings (all Servers):

Thank you,

Michael

PS: For Privacy, the Domain-Names und IP Addresses have been anonymized/changed in the Logfile.




[edited by: solae at 9:29 AM (GMT -8) on 16 Jan 2021]
Parents
  • Hi ,

    Thank you for reaching out to the Community! 

    Did you configure Country blocking on your firewall? If yes, try to turn it off for a few minutes and try to renew the certificate. 

    Thanks,

     

     
    Harsh Patel (H_Patel)

    Community Support Engineer | Sophos Technical Support
    Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' button.

  • Hi Harsh

    i do not use Country Blocking, it is completly off.

    Regards,

    Michael

  • Hi ,

    Do you have any DNAT rule for HTTP or HTTPS configured on the external interface of your UTM? If yes, try to turn it off for a few minutes and try to renew the certificate. 

    Thanks,

     

     
    Harsh Patel (H_Patel)

    Community Support Engineer | Sophos Technical Support
    Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' button.

  • Hi Harsh

    Thank you for your question.

    No DNAT Rules for HTTP (80) or HTTPS (443).

    Looking at the WAF Log, as the request to check the ACME-Challange is comming through i think there is something wrong in the UTM which should take that connection and reply with the correct challange instead of passing it through the WAF, isn‘t it?

    Regards,

    Michael

  • As soon as i disable the IPv6 virtual Hosts, the regeneration works. Here a snippet of the WAF Logfile:

    2021:01:16-09:33:02 fw01-stj httpd: id="0299" srcip="18.196.96.172" localip="99.43.62.22" size="107" user="-" host="18.196.96.172" method="GET" statuscode="200" reason="-" extra="-" exceptions="SkipBlacklistDNSRBL, SkipBlacklistGeoIP, SkipAntiVirus, SkipTFT, SkipURLHardening, SkipThreatsFilter" time="652" url="/.well-known/acme-challenge/-cXuQcxz3k1Rf3TtTHpfWt04wlSMwuapZ-sXJIAVh7w" server="www.domain1.ch" port="80" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="YAKkvnXH60Rg0ufMt9gCdwAAAB8"
    2021:01:16-09:33:02 fw01-stj httpd: id="0299" srcip="3.128.26.105" localip="99.43.62.22" size="107" user="-" host="3.128.26.105" method="GET" statuscode="200" reason="-" extra="-" exceptions="SkipBlacklistDNSRBL, SkipBlacklistGeoIP, SkipAntiVirus, SkipTFT, SkipURLHardening, SkipThreatsFilter" time="265" url="/.well-known/acme-challenge/-cXuQcxz3k1Rf3TtTHpfWt04wlSMwuapZ-sXJIAVh7w" server="www.domain1.ch" port="80" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="YAKkvnXH60Rg0ufMt9gCeAAAACA"
    2021:01:16-09:33:02 fw01-stj httpd: id="0299" srcip="34.211.6.84" localip="99.43.62.22" size="107" user="-" host="34.211.6.84" method="GET" statuscode="200" reason="-" extra="-" exceptions="SkipBlacklistDNSRBL, SkipBlacklistGeoIP, SkipAntiVirus, SkipTFT, SkipURLHardening, SkipThreatsFilter" time="310" url="/.well-known/acme-challenge/-cXuQcxz3k1Rf3TtTHpfWt04wlSMwuapZ-sXJIAVh7w" server="www.domain1.ch" port="80" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="YAKkvnXH60Rg0ufMt9gCeQAAACE"
    2021:01:16-09:33:02 fw01-stj httpd: id="0299" srcip="64.78.149.164" localip="99.43.62.22" size="107" user="-" host="64.78.149.164" method="GET" statuscode="200" reason="-" extra="-" exceptions="SkipBlacklistDNSRBL, SkipBlacklistGeoIP, SkipAntiVirus, SkipTFT, SkipURLHardening, SkipThreatsFilter" time="283" url="/.well-known/acme-challenge/-cXuQcxz3k1Rf3TtTHpfWt04wlSMwuapZ-sXJIAVh7w" server="www.domain1.ch" port="80" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="YAKkvnXH60Rg0ufMt9gCegAAACI"
    2021:01:16-09:33:16 fw01-stj httpd: id="0299" srcip="52.28.236.88" localip="99.43.62.22" size="107" user="-" host="52.28.236.88" method="GET" statuscode="200" reason="-" extra="-" exceptions="SkipBlacklistDNSRBL, SkipBlacklistGeoIP, SkipAntiVirus, SkipTFT, SkipURLHardening, SkipThreatsFilter" time="931" url="/.well-known/acme-challenge/XTMU-461Lv6FKDp_ZuiiYiKpP3eQTsUQCwkdyzAjTxk" server="domain2.ch" port="80" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="YAKkzHXH60Rg0ufMt9gCewAAACM"
    2021:01:16-09:33:16 fw01-stj httpd: id="0299" srcip="3.22.70.135" localip="99.43.62.22" size="107" user="-" host="3.22.70.135" method="GET" statuscode="200" reason="-" extra="-" exceptions="SkipBlacklistDNSRBL, SkipBlacklistGeoIP, SkipAntiVirus, SkipTFT, SkipURLHardening, SkipThreatsFilter" time="305" url="/.well-known/acme-challenge/XTMU-461Lv6FKDp_ZuiiYiKpP3eQTsUQCwkdyzAjTxk" server="domain2.ch" port="80" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="YAKkzHXH60Rg0ufMt9gCfAAAACQ"
    2021:01:16-09:33:16 fw01-stj httpd: id="0299" srcip="34.209.232.166" localip="99.43.62.22" size="107" user="-" host="34.209.232.166" method="GET" statuscode="200" reason="-" extra="-" exceptions="SkipBlacklistDNSRBL, SkipBlacklistGeoIP, SkipAntiVirus, SkipTFT, SkipURLHardening, SkipThreatsFilter" time="265" url="/.well-known/acme-challenge/XTMU-461Lv6FKDp_ZuiiYiKpP3eQTsUQCwkdyzAjTxk" server="domain2.ch" port="80" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="YAKkzHXH60Rg0ufMt9gCfQAAACU"
    2021:01:16-09:33:16 fw01-stj httpd: id="0299" srcip="66.133.109.36" localip="99.43.62.22" size="107" user="-" host="66.133.109.36" method="GET" statuscode="200" reason="-" extra="-" exceptions="SkipBlacklistDNSRBL, SkipBlacklistGeoIP, SkipAntiVirus, SkipTFT, SkipURLHardening, SkipThreatsFilter" time="243" url="/.well-known/acme-challenge/XTMU-461Lv6FKDp_ZuiiYiKpP3eQTsUQCwkdyzAjTxk" server="domain2.ch" port="80" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="YAKkzHXH60Rg0ufMt9gCfgAAACY"

    As visible in the Logs above, the WAF (UTM Webserver?) responds with "HTTP 200".

    With IPv6 activated the underlying IIS (i think) responds with 301, as there is a HTTP to HTTPS redirection enabled. But this redirection is also configured for IPv4 because it's the same real-Server (IIS), so why does the ACME-Challenge work with IPv4 (HTTP 200) but not with IPv6 (HTTP 301 and HTTP 404 after that)?

Reply
  • As soon as i disable the IPv6 virtual Hosts, the regeneration works. Here a snippet of the WAF Logfile:

    2021:01:16-09:33:02 fw01-stj httpd: id="0299" srcip="18.196.96.172" localip="99.43.62.22" size="107" user="-" host="18.196.96.172" method="GET" statuscode="200" reason="-" extra="-" exceptions="SkipBlacklistDNSRBL, SkipBlacklistGeoIP, SkipAntiVirus, SkipTFT, SkipURLHardening, SkipThreatsFilter" time="652" url="/.well-known/acme-challenge/-cXuQcxz3k1Rf3TtTHpfWt04wlSMwuapZ-sXJIAVh7w" server="www.domain1.ch" port="80" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="YAKkvnXH60Rg0ufMt9gCdwAAAB8"
    2021:01:16-09:33:02 fw01-stj httpd: id="0299" srcip="3.128.26.105" localip="99.43.62.22" size="107" user="-" host="3.128.26.105" method="GET" statuscode="200" reason="-" extra="-" exceptions="SkipBlacklistDNSRBL, SkipBlacklistGeoIP, SkipAntiVirus, SkipTFT, SkipURLHardening, SkipThreatsFilter" time="265" url="/.well-known/acme-challenge/-cXuQcxz3k1Rf3TtTHpfWt04wlSMwuapZ-sXJIAVh7w" server="www.domain1.ch" port="80" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="YAKkvnXH60Rg0ufMt9gCeAAAACA"
    2021:01:16-09:33:02 fw01-stj httpd: id="0299" srcip="34.211.6.84" localip="99.43.62.22" size="107" user="-" host="34.211.6.84" method="GET" statuscode="200" reason="-" extra="-" exceptions="SkipBlacklistDNSRBL, SkipBlacklistGeoIP, SkipAntiVirus, SkipTFT, SkipURLHardening, SkipThreatsFilter" time="310" url="/.well-known/acme-challenge/-cXuQcxz3k1Rf3TtTHpfWt04wlSMwuapZ-sXJIAVh7w" server="www.domain1.ch" port="80" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="YAKkvnXH60Rg0ufMt9gCeQAAACE"
    2021:01:16-09:33:02 fw01-stj httpd: id="0299" srcip="64.78.149.164" localip="99.43.62.22" size="107" user="-" host="64.78.149.164" method="GET" statuscode="200" reason="-" extra="-" exceptions="SkipBlacklistDNSRBL, SkipBlacklistGeoIP, SkipAntiVirus, SkipTFT, SkipURLHardening, SkipThreatsFilter" time="283" url="/.well-known/acme-challenge/-cXuQcxz3k1Rf3TtTHpfWt04wlSMwuapZ-sXJIAVh7w" server="www.domain1.ch" port="80" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="YAKkvnXH60Rg0ufMt9gCegAAACI"
    2021:01:16-09:33:16 fw01-stj httpd: id="0299" srcip="52.28.236.88" localip="99.43.62.22" size="107" user="-" host="52.28.236.88" method="GET" statuscode="200" reason="-" extra="-" exceptions="SkipBlacklistDNSRBL, SkipBlacklistGeoIP, SkipAntiVirus, SkipTFT, SkipURLHardening, SkipThreatsFilter" time="931" url="/.well-known/acme-challenge/XTMU-461Lv6FKDp_ZuiiYiKpP3eQTsUQCwkdyzAjTxk" server="domain2.ch" port="80" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="YAKkzHXH60Rg0ufMt9gCewAAACM"
    2021:01:16-09:33:16 fw01-stj httpd: id="0299" srcip="3.22.70.135" localip="99.43.62.22" size="107" user="-" host="3.22.70.135" method="GET" statuscode="200" reason="-" extra="-" exceptions="SkipBlacklistDNSRBL, SkipBlacklistGeoIP, SkipAntiVirus, SkipTFT, SkipURLHardening, SkipThreatsFilter" time="305" url="/.well-known/acme-challenge/XTMU-461Lv6FKDp_ZuiiYiKpP3eQTsUQCwkdyzAjTxk" server="domain2.ch" port="80" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="YAKkzHXH60Rg0ufMt9gCfAAAACQ"
    2021:01:16-09:33:16 fw01-stj httpd: id="0299" srcip="34.209.232.166" localip="99.43.62.22" size="107" user="-" host="34.209.232.166" method="GET" statuscode="200" reason="-" extra="-" exceptions="SkipBlacklistDNSRBL, SkipBlacklistGeoIP, SkipAntiVirus, SkipTFT, SkipURLHardening, SkipThreatsFilter" time="265" url="/.well-known/acme-challenge/XTMU-461Lv6FKDp_ZuiiYiKpP3eQTsUQCwkdyzAjTxk" server="domain2.ch" port="80" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="YAKkzHXH60Rg0ufMt9gCfQAAACU"
    2021:01:16-09:33:16 fw01-stj httpd: id="0299" srcip="66.133.109.36" localip="99.43.62.22" size="107" user="-" host="66.133.109.36" method="GET" statuscode="200" reason="-" extra="-" exceptions="SkipBlacklistDNSRBL, SkipBlacklistGeoIP, SkipAntiVirus, SkipTFT, SkipURLHardening, SkipThreatsFilter" time="243" url="/.well-known/acme-challenge/XTMU-461Lv6FKDp_ZuiiYiKpP3eQTsUQCwkdyzAjTxk" server="domain2.ch" port="80" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="YAKkzHXH60Rg0ufMt9gCfgAAACY"

    As visible in the Logs above, the WAF (UTM Webserver?) responds with "HTTP 200".

    With IPv6 activated the underlying IIS (i think) responds with 301, as there is a HTTP to HTTPS redirection enabled. But this redirection is also configured for IPv4 because it's the same real-Server (IIS), so why does the ACME-Challenge work with IPv4 (HTTP 200) but not with IPv6 (HTTP 301 and HTTP 404 after that)?

Children
No Data