This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Creating/renewing Let'sEncrypt certificates fails with SNAT/DNAT enabled.

So, I have a bunch of web servers on my DMZ that are natted externally with static IPs on my UTM using the classic DNAT/SNAT rules. It all works well except when I generate a new let's encrypt certificate or I try to renew an existing one (either manually or allowing the UTM to do its automatic bit). The only way out that I have been able to master so far is to manually disable the DNAT/SNAT rules, force a manual renew (which works) and then re-enable DNAT/SNAT until next time. Has anyone have gone through a similar issue? What am I doing wrong/not doing? (No, I do not use country blocking, and yes port 80 and 443 are open on the firewall rules). Below is a sample of the log, I'll appreciate any advice.

2021:02:04-16:59:02 spot letsencrypt[17115]: I Renew certificate: handling CSR REF_CaCsrCloudLetsEncry for domain set [cloud.wolf-net.net]

2021:02:04-16:59:02 spot letsencrypt[17115]: I Renew certificate: running command: /var/storage/chroot-reverseproxy/usr/dehydrated/bin/dehydrated -x -f /var/storage/chroot-reverseproxy/usr/dehydrated/conf/config -c --accept-terms --domain cloud.wolf-net.net

2021:02:04-16:59:19 spot letsencrypt[17115]: I Renew certificate: command completed with exit code 256

2021:02:04-16:59:19 spot letsencrypt[17115]: E Renew certificate: COMMAND_FAILED: ERROR: Challenge is invalid! (returned: invalid) (result: {

2021:02:04-16:59:19 spot letsencrypt[17115]: E Renew certificate: COMMAND_FAILED: "type": "http-01",

2021:02:04-16:59:19 spot letsencrypt[17115]: E Renew certificate: COMMAND_FAILED: "status": "invalid",

2021:02:04-16:59:19 spot letsencrypt[17115]: E Renew certificate: COMMAND_FAILED: "error": {

2021:02:04-16:59:19 spot letsencrypt[17115]: E Renew certificate: COMMAND_FAILED: "type": "urn:ietf:params:acme:error:unauthorized",

2021:02:04-16:59:19 spot letsencrypt[17115]: E Renew certificate: COMMAND_FAILED: "detail": "Invalid response from cloud.wolf-net.net/.../cX6EwyD4dC1c_C3DzEtIvToUsHDJ-DxoCyztLCdPRwQ [72.68.34.119]: \"\u003c!DOCTYPE HTML PUBLIC \\\"-//IETF//DTD HTML 2.0//EN\\\"\u003e\\n\u003chtml\u003e\u003chead\u003e\\n\u003ctitle\u003e404 Not Found\u003c/title\u003e\\n\u003c/head\u003e\u003cbody\u003e\\n\u003ch1\u003eNot Found\u003c/h1\u003e\\n\u003cp\"",

2021:02:04-16:59:19 spot letsencrypt[17115]: E Renew certificate: COMMAND_FAILED: "status": 403

2021:02:04-16:59:19 spot letsencrypt[17115]: E Renew certificate: COMMAND_FAILED: },

2021:02:04-16:59:19 spot letsencrypt[17115]: E Renew certificate: COMMAND_FAILED: "url": "">acme-v02.api.letsencrypt.org/.../vlRIpQ",

2021:02:04-16:59:19 spot letsencrypt[17115]: E Renew certificate: COMMAND_FAILED: "token": "cX6EwyD4dC1c_C3DzEtIvToUsHDJ-DxoCyztLCdPRwQ",

2021:02:04-16:59:19 spot letsencrypt[17115]: E Renew certificate: COMMAND_FAILED: "validationRecord": [

2021:02:04-16:59:19 spot letsencrypt[17115]: E Renew certificate: COMMAND_FAILED: {

2021:02:04-16:59:19 spot letsencrypt[17115]: E Renew certificate: COMMAND_FAILED: "url": "">cloud.wolf-net.net/.../cX6EwyD4dC1c_C3DzEtIvToUsHDJ-DxoCyztLCdPRwQ",

2021:02:04-16:59:19 spot letsencrypt[17115]: E Renew certificate: COMMAND_FAILED: "hostname": "cloud.wolf-net.net",

2021:02:04-16:59:19 spot letsencrypt[17115]: E Renew certificate: COMMAND_FAILED: "port": "80",

2021:02:04-16:59:19 spot letsencrypt[17115]: E Renew certificate: COMMAND_FAILED: "addressesResolved": [

2021:02:04-16:59:19 spot letsencrypt[17115]: E Renew certificate: COMMAND_FAILED: "72.68.34.119"

2021:02:04-16:59:19 spot letsencrypt[17115]: E Renew certificate: COMMAND_FAILED: ],

2021:02:04-16:59:19 spot letsencrypt[17115]: E Renew certificate: COMMAND_FAILED: "addressUsed": "72.68.34.119"

2021:02:04-16:59:19 spot letsencrypt[17115]: E Renew certificate: COMMAND_FAILED: }

2021:02:04-16:59:19 spot letsencrypt[17115]: E Renew certificate: COMMAND_FAILED: ]

2021:02:04-16:59:19 spot letsencrypt[17115]: E Renew certificate: COMMAND_FAILED: })

2021:02:04-16:59:20 spot letsencrypt[17115]: I Renew certificate: sending notification WARN-603

2021:02:04-16:59:20 spot letsencrypt[17115]: [WARN-603] Let's Encrypt certificate renewal failed accessing Let's Encrypt service

2021:02:04-16:59:20 spot letsencrypt[17115]: I Renew certificate: execution completed (CSRs renewed: 0, failed: 1)

This thread was automatically locked due to age.

0 dirkkotte over 3 years ago

you don't anything wrong... That's by design.

DNAT take precedence before WAF (WAF is used for LE-certificate exchange).

Compare packetflow within Bobs RULZ: community.sophos.com/.../rulz
If a packed is routed by NAT, WAF don't "see" the packet anymore.

Dirk

Systema Gesellschaft für angewandte Datentechnik mbH // Sophos Platinum Partner
Sophos Solution Partner since 2003
If a post solves your question, click the 'Verify Answer' link at this post.
Cancel
Vote Up 0 Vote Down

Cancel
0 Cesare Dieni over 3 years ago in reply to dirkkotte

Thanks, and that makes the let'secrypt certificates renew option on the web application firewall quite a useless implementation...
Cancel
Vote Up 0 Vote Down

Cancel
0 dirkkotte over 3 years ago in reply to Cesare Dieni

no. if you use WAF at Sophos this is the perfect solution.

because WAF is more secure tham DNAT, we move from DNAT to WAF the webservers.

If you (or we) wish to mix DNAT Port80/443 and WAF you need a second external IP.

For which services you need the certificates ... if not WAF?

LE uses only port 80 for handshaking ... so NATing Port 443 should be possible.

Dirk

Systema Gesellschaft für angewandte Datentechnik mbH // Sophos Platinum Partner
Sophos Solution Partner since 2003
If a post solves your question, click the 'Verify Answer' link at this post.
Cancel
Vote Up 0 Vote Down

Cancel