Let's encrypt error

After I enabled the Let's encrypt (Under WAF) , I get this error:

Logging:

2018:09:24-12:14:12 mail letsencrypt[8563]: I Create account: creating new Let's Encrypt acccount
2018:09:24-12:14:12 mail letsencrypt[8563]: E Create account: TOS_UNAVAILABLE: Failed to retrieve current Terms of Service from remote server: 500 SSL_ca_path /etc/ssl/certs is not accessable
2018:09:24-12:14:12 mail letsencrypt[8563]: E Create account: failed to create account
  • twister5800 said:

    You can type wildcard names, which gives error notifications, UTM should deny even creating them in Webadmin :-)

    2018:09:24-13:52:06 mail letsencrypt[23910]: E Renew certificate: COMMAND_FAILED: Connection: close
    2018:09:24-13:52:06 mail letsencrypt[23910]: E Renew certificate: COMMAND_FAILED:
    2018:09:24-13:52:06 mail letsencrypt[23910]: E Renew certificate: COMMAND_FAILED: {
    2018:09:24-13:52:06 mail letsencrypt[23910]: E Renew certificate: COMMAND_FAILED: "type": "urn:acme:error:malformed",
    2018:09:24-13:52:06 mail letsencrypt[23910]: E Renew certificate: COMMAND_FAILED: "detail": "Error creating new authz :: Wildcard names not supported",
    2018:09:24-13:52:06 mail letsencrypt[23910]: E Renew certificate: COMMAND_FAILED: "status": 400
    2018:09:24-13:52:06 mail letsencrypt[23910]: E Renew certificate: COMMAND_FAILED: }
    2018:09:24-13:52:07 mail letsencrypt[23910]: I Renew certificate: sending notification WARN-603
    2018:09:24-13:52:07 mail letsencrypt[23910]: [WARN-603] Let's Encrypt certificate renewal failed accessing Let's Encrypt service
    2018:09:24-13:52:07 mail letsencrypt[23910]: I Renew certificate: execution completed (CSRs renewed: 0, failed: 1)

    Thank you for your feedback. We've filed this issue internally and are tracking it now as NUTM-10316.

  • twister5800 said:

    You can type wildcard names, which gives error notifications, UTM should deny even creating them in Webadmin :-)

     

     
    No please don't deny it, but properly support wildcard domains (which are supported by Let's Encrypt).

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • Perfectly agree ;)

    -----

    Best regards
    Martin

    Sophos XGS 2100 @ Home | Sophos v20 Technician

  • Real support for wildcard domains is definitely out of scope for UTM 9.6. If you really need wildcard support for Let's Encrypt certificates, please raise it as a feature request on https://ideas.sophos.com/.

    Sorry!

  • apijnappels said:
    No please don't deny it, but properly support wildcard domains (which are supported by Let's Encrypt).

    As you can see from the logs, sophos is using the "old" Letsencrypt API. From this API, it's not supported to create Wildcard Certificates.

    So it would be a huge effort for them to change this behavior.

    Please send me Spam gueselkuebel@sg-utm.also-solutions.ch

  • HuberChristian said:

    So it would be a huge effort for them to change this behavior.

    Huge as in "switch to ACME v2"?

    Seems to me it must be possible.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • apijnappels said:

    Huge as in "switch to ACME v2"?

    Seems to me it must be possible.

    Switching to ACMEv2 isn't the real problem, validating domains through DNS is. You have to validate wildcard domains through DNS. For now we only support validating domains through HTTP.

  • I have set the permissions accordingly, but still get:

    2018:09:27-11:12:10 xxx letsencrypt[7644]: I Create account: creating new Let's Encrypt acccount
    2018:09:27-11:12:41 xxx letsencrypt[7644]: E Create account: TOS_UNAVAILABLE: Failed to retrieve current Terms of Service from remote server: 500 Can't connect to acme-v01.api.letsencrypt.org:443 (timeout)
    2018:09:27-11:12:41 xxx letsencrypt[7644]: E Create account: failed to create account
     
     
    What else can i do?

    ----------
    Sophos user, admin and reseller.
    Private Setup:

    • XG: HPE DL20 Gen9 (Core i3-7300, 8GB RAM, 120GB SSD) | XG 18.0 (Home License) with: Web Protection, Site-to-Site-VPN (IPSec, RED-Tunnel), Remote Access (SSL, HTML5)
    • UTM: 2 vCPUs, 2GB RAM, 50GB vHDD, 2 vNICs on vServer (KVM) | UTM 9.7 (Home License) with: Email Protection, Webserver Protection, RED-Tunnel (server)
  • scorpionking said:

    I have set the permissions accordingly, but still get:

    That's a different error. Connecting to the Let's Encrypt server times out. Make sure that acme-v01.api.letsencrypt.org is reachable from your UTM.

  • Seems to be a IPv6 issue.

    If I disable IPv6 I can successfully enable Let's Encrypt.

    I can "ping6 acme-v01.api.letsencrypt.org" without problems, but e.g. a "wget acme-v01.api.letsencrypt.org" runs into timeout with IPv6 enabled.

    ----------
    Sophos user, admin and reseller.
    Private Setup:

    • XG: HPE DL20 Gen9 (Core i3-7300, 8GB RAM, 120GB SSD) | XG 18.0 (Home License) with: Web Protection, Site-to-Site-VPN (IPSec, RED-Tunnel), Remote Access (SSL, HTML5)
    • UTM: 2 vCPUs, 2GB RAM, 50GB vHDD, 2 vNICs on vServer (KVM) | UTM 9.7 (Home License) with: Email Protection, Webserver Protection, RED-Tunnel (server)