LetsEncrypt failing to renew - Please help!

Hello All,

Version 9.701-6 in HA Cluster mode. Seems that LetsEncrypt are having issues getting the config file from our firewall, or WAF is interfering with this process..

2020:02:17-18:03:02 firewall-1 letsencrypt[29628]: I Renew certificate: handling CSR REF_CaCsrFirewall202 for domain set [firewall.domain.exammple.com]
2020:02:17-18:03:02 firewall-1 letsencrypt[29628]: I Renew certificate: running command: /var/storage/chroot-reverseproxy/usr/dehydrated/bin/dehydrated -x -f /var/storage/chroot-reverseproxy/usr/dehydrated/conf/config -c --accept-terms --domain firewall.domain.exammple.com
2020:02:17-18:03:14 firewall-1 letsencrypt[29628]: I Renew certificate: command completed with exit code 256
2020:02:17-18:03:14 firewall-1 letsencrypt[29628]: E Renew certificate: COMMAND_FAILED: ERROR: Challenge is invalid! (returned: invalid) (result: {
2020:02:17-18:03:14 firewall-1 letsencrypt[29628]: E Renew certificate: COMMAND_FAILED: "type": "http-01",
2020:02:17-18:03:14 firewall-1 letsencrypt[29628]: E Renew certificate: COMMAND_FAILED: "status": "invalid",
2020:02:17-18:03:14 firewall-1 letsencrypt[29628]: E Renew certificate: COMMAND_FAILED: "error": {
2020:02:17-18:03:14 firewall-1 letsencrypt[29628]: E Renew certificate: COMMAND_FAILED: "type": "urn:ietf:params:acme:error:connection",
2020:02:17-18:03:14 firewall-1 letsencrypt[29628]: E Renew certificate: COMMAND_FAILED: "detail": "Fetching firewall.domain.exammple.com/.../0BXxojXb2QbLCqxs4L49frdIYGgsjfBhs01L3ax3rfI: Connection refused",
2020:02:17-18:03:14 firewall-1 letsencrypt[29628]: E Renew certificate: COMMAND_FAILED: "status": 400
2020:02:17-18:03:14 firewall-1 letsencrypt[29628]: E Renew certificate: COMMAND_FAILED: },
2020:02:17-18:03:14 firewall-1 letsencrypt[29628]: E Renew certificate: COMMAND_FAILED: "url": "acme-v02.api.letsencrypt.org/.../m7qngA",
2020:02:17-18:03:14 firewall-1 letsencrypt[29628]: E Renew certificate: COMMAND_FAILED: "token": "0BXxojXb2QbLCqxs4L49frdIYGgsjfBhs01L3ax3rfI",
2020:02:17-18:03:14 firewall-1 letsencrypt[29628]: E Renew certificate: COMMAND_FAILED: "validationRecord": [
2020:02:17-18:03:14 firewall-1 letsencrypt[29628]: E Renew certificate: COMMAND_FAILED: {
2020:02:17-18:03:14 firewall-1 letsencrypt[29628]: E Renew certificate: COMMAND_FAILED: "url": "firewall.domain.exammple.com/.well-known/acme-challenge/0BXxojXb2QbLCqxs4L49frdIYGgsjfBhs01L3ax3rfI",
2020:02:17-18:03:14 firewall-1 letsencrypt[29628]: E Renew certificate: COMMAND_FAILED: "hostname": "firewall.domain.exammple.com",
2020:02:17-18:03:14 firewall-1 letsencrypt[29628]: E Renew certificate: COMMAND_FAILED: "port": "80",
2020:02:17-18:03:14 firewall-1 letsencrypt[29628]: E Renew certificate: COMMAND_FAILED: "addressesResolved": [
2020:02:17-18:03:14 firewall-1 letsencrypt[29628]: E Renew certificate: COMMAND_FAILED: "1.1.1.1"
2020:02:17-18:03:14 firewall-1 letsencrypt[29628]: E Renew certificate: COMMAND_FAILED: ],
2020:02:17-18:03:14 firewall-1 letsencrypt[29628]: E Renew certificate: COMMAND_FAILED: "addressUsed": "1.1.1.1"
2020:02:17-18:03:14 firewall-1 letsencrypt[29628]: E Renew certificate: COMMAND_FAILED: }
2020:02:17-18:03:14 firewall-1 letsencrypt[29628]: E Renew certificate: COMMAND_FAILED: ]
2020:02:17-18:03:14 firewall-1 letsencrypt[29628]: E Renew certificate: COMMAND_FAILED: })
2020:02:17-18:03:14 firewall-1 letsencrypt[29628]: I Renew certificate: sending notification WARN-603
2020:02:17-18:03:14 firewall-1 letsencrypt[29628]: [WARN-603] Let's Encrypt certificate renewal failed accessing Let's Encrypt service
2020:02:17-18:03:14 firewall-1 letsencrypt[29628]: I Renew certificate: execution completed (CSRs renewed: 0, failed: 1)
 
 
If anybody has any inputs on this could you please help? (note 1.1.1.1 isn't our real IP and I've redacted our hostname too)
Parents
  • Hi There,

    It looks like upstream device or ISP is blocking UTM's access to Let's Encrypt servers. Let's Encrypt service requires to connect to server and verify the domain ownership before issuing or renewing a Certificate. 

    Regards

    Jaydeep
    Ex-Sophos Member

Reply
  • Hi There,

    It looks like upstream device or ISP is blocking UTM's access to Let's Encrypt servers. Let's Encrypt service requires to connect to server and verify the domain ownership before issuing or renewing a Certificate. 

    Regards

    Jaydeep
    Ex-Sophos Member

Children