This is my first post since using Let's Encrypt for years. We have a bunch of Sophos UTM 9 with latest firmware. On two of them we cannot renew certificates anymore. I'm not sure when this happened, put it worked around 1st/2nd october without issues.
On one UTM I've disabled the Let's Encrypt functionality and wantet to enable it again with following error:
2021:10:15-08:26:45 utm-1 letsencrypt[9117]: I Create account: creating new Let's Encrypt acccount
2021:10:15-08:26:46 utm-1 letsencrypt[9117]: E Create account: Incorrect response code from ACME server: 500
2021:10:15-08:26:46 utm-1 letsencrypt[9117]: E Create account: URL was: https://acme-v02.api.letsencrypt.org/directory
2021:10:15-08:26:46 utm-1 letsencrypt[9117]: E Create account: TOS_UNAVAILABLE: Failed to retrieve the current Terms of Service URL
2021:10:15-08:26:46 utm-1 letsencrypt[9117]: E Create account: failed to create account
The behavior on both before was that there was no renewal possible because it "failes to fetch the terms of service":
2021:10:15-08:47:02 utm-1 letsencrypt[26549]: E Renew certificate: TOS_UNAVAILABLE: Could not obtain the current version of the Let's Encrypt Terms of Service
2021:10:15-08:47:02 utm-1 letsencrypt[26549]: I Renew certificate: sending notification WARN-603
2021:10:15-08:47:02 utm-1 letsencrypt[26549]: [WARN-603] Let's Encrypt certificate renewal failed accessing Let's Encrypt service
2021:10:15-08:47:02 utm-1 letsencrypt[26549]: I Renew certificate: execution failed
If I nat port 80 through to the hosts the certificate get's renewed, so I guess it is something in the communication between the UTM and Let's Encrypt? I've serached the internet but found nothing that helped.
Maybe someone stumbled over this allready and can heelp me to bring our systems back to work again.
I hope the information is sufficend an thanks for your help.
@MClasen I do not know Sophos UTM at all but I have an idea ...
On/about Oct 1 the LE servers at acme-v02.api.letsencrypt.org starting sending a new certificate chain. Before that day they used the "long chain" but now use the "short chain".
Perhaps Sophos detected the change and is blocking access as it looks suspicious? I agree with @rg305 that it seems more fruitful to discuss with the Sophos community. Just thought this bit of info would be helpful to you.
I saw various posts at Sophos community about server error 500's that seemed to be caused by Sophos and were not simply pass-thru errors from the target server.