Activating Letsencrypt fails when using IPv6 - outgoing packets blocked by firewall

Hey there,

when trying to enable Let's Encrypt-Support, I also get the error "The previous attempt to enable Let’s Encrypt failed: Failed to retrieve the current Terms of Service link. Please try again or check the Internet connection if the problem persists." despite having corrected the permissions on /etc/ssl/certs.

tl;dr: skip to "Workaround" below. :)

I set the permissions as per NUTM-10315, but /var/log/letsencrypt.log shows:
2018:09:28-21:33:00 utm letsencrypt[8313]: I Create account: creating new Let's Encrypt acccount
2018:09:28-21:33:31 utm letsencrypt[8313]: E Create account: TOS_UNAVAILABLE: Failed to retrieve current Terms of Service from remote server: 500 Can't connect to acme-v01.api.letsencrypt.org:443 (timeout)
2018:09:28-21:33:31 utm letsencrypt[8313]: E Create account: failed to create account

Pinging the host works on either IPv4 or IPv6, but connecting on port 443 fails via IPv6, as also mentioned by scorpionking in community.sophos.com/.../let-s-encrypt-error

utm:/var/log # ping6 acme-v01.api.letsencrypt.org
PING acme-v01.api.letsencrypt.org(g2a02-26f0-6c00-0185-0000-0000-0000-3a8e.deploy.static.akamaitechnologies.com) 56 data bytes
64 bytes from g2a02-26f0-6c00-0185-0000-0000-0000-3a8e.deploy.static.akamaitechnologies.com: icmp_seq=1 ttl=61 time=26.7 ms


utm:/var/log # ping acme-v01.api.letsencrypt.org
PING e14990.dscx.akamaiedge.net (184.30.223.223) 56(84) bytes of data.
64 bytes from a184-30-223-223.deploy.static.akamaitechnologies.com (184.30.223.223): icmp_seq=1 ttl=57 time=21.3 ms


utm:/var/log # telnet acme-v01.api.letsencrypt.org 443
Trying 2a02:26f0:6c00:187::3a8e...

Connecting via IPv4 works just fine:

utm:/var/log # telnet 184.30.223.223 443
Trying 184.30.223.223...
Connected to 184.30.223.223.


It's not an issue with the tunnelbroker itself, since I can connect to the site just fine from my PC, also using IPv6 via the tunnel broker:



Unfortunately, I can not test with native IPv6, so I don't know if this problem also applies to native IPv6-connections, but I'm pretty sure it does (see "A little more information" below).

Edit: just noticed that it's the firewall dropping the packets:



Workaround

Add an explicit Firewall-Rule:

Source: IPv6-Address displayed on the IPv6 Global Tab (or "Any IPv6", I guess)
Service: HTTPS
Destination: DNS-Group acme-v01.api.letsencrypt.org

 

A little more information:

iptables -vL AUTO_OUTPUT lists

    0     0 CONFIRMED  tcp  --  any    any     anywhere             anywhere             tcp spts:tcpmux:65535 dpt:https

while a similar rule seems to be missing in

ip6tables -vL AUTO_OUTPUT:

utm:/var/log # iptables -nvL AUTO_OUTPUT | grep 443
    0     0 CONFIRMED  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spts:1:65535 dpt:443
utm:/var/log #


utm:/var/log # ip6tables -nvL AUTO_OUTPUT | grep 443
utm:/var/log #

 

Please let me know if you need further information to investigate the issue.

Best Regards
Markus


Parents
  • Great, that worked for me, too!

    Thanks a lot.

    I'm not using a tunnel broker, it's a native IPv6 connection on a small vServer of a german hosting provider.

    ----------
    Sophos user, admin and reseller.
    Private Setup:

    • XG: HPE DL20 Gen9 (Core i3-7300, 8GB RAM, 120GB SSD) | XG 18.0 (Home License) with: Web Protection, Site-to-Site-VPN (IPSec, RED-Tunnel), Remote Access (SSL, HTML5)
    • UTM: 2 vCPUs, 2GB RAM, 50GB vHDD, 2 vNICs on vServer (KVM) | UTM 9.7 (Home License) with: Email Protection, Webserver Protection, RED-Tunnel (server)
Reply
  • Great, that worked for me, too!

    Thanks a lot.

    I'm not using a tunnel broker, it's a native IPv6 connection on a small vServer of a german hosting provider.

    ----------
    Sophos user, admin and reseller.
    Private Setup:

    • XG: HPE DL20 Gen9 (Core i3-7300, 8GB RAM, 120GB SSD) | XG 18.0 (Home License) with: Web Protection, Site-to-Site-VPN (IPSec, RED-Tunnel), Remote Access (SSL, HTML5)
    • UTM: 2 vCPUs, 2GB RAM, 50GB vHDD, 2 vNICs on vServer (KVM) | UTM 9.7 (Home License) with: Email Protection, Webserver Protection, RED-Tunnel (server)
Children
No Data