Let's Encrypt on Sophos UTM does not work

Hello Let's Encrypt community.

This is my first post since using Let's Encrypt for years. We have a bunch of Sophos UTM 9 with latest firmware. On two of them we cannot renew certificates anymore. I'm not sure when this happened, put it worked around 1st/2nd october without issues.

On one UTM I've disabled the Let's Encrypt functionality and wantet to enable it again with following error:
2021:10:15-08:26:45 utm-1 letsencrypt[9117]: I Create account: creating new Let's Encrypt acccount
2021:10:15-08:26:46 utm-1 letsencrypt[9117]: E Create account: Incorrect response code from ACME server: 500
2021:10:15-08:26:46 utm-1 letsencrypt[9117]: E Create account: URL was: https://acme-v02.api.letsencrypt.org/directory
2021:10:15-08:26:46 utm-1 letsencrypt[9117]: E Create account: TOS_UNAVAILABLE: Failed to retrieve the current Terms of Service URL
2021:10:15-08:26:46 utm-1 letsencrypt[9117]: E Create account: failed to create account

The behavior on both before was that there was no renewal possible because it "failes to fetch the terms of service":

2021:10:15-08:47:02 utm-1 letsencrypt[26549]: E Renew certificate: TOS_UNAVAILABLE: Could not obtain the current version of the Let's Encrypt Terms of Service
2021:10:15-08:47:02 utm-1 letsencrypt[26549]: I Renew certificate: sending notification WARN-603
2021:10:15-08:47:02 utm-1 letsencrypt[26549]: [WARN-603] Let's Encrypt certificate renewal failed accessing Let's Encrypt service
2021:10:15-08:47:02 utm-1 letsencrypt[26549]: I Renew certificate: execution failed

If I nat port 80 through to the hosts the certificate get's renewed, so I guess it is something in the communication between the UTM and Let's Encrypt? I've serached the internet but found nothing that helped.

Maybe someone stumbled over this allready and can heelp me to bring our systems back to work again.

I hope the information is sufficend an thanks for your help.

Kind regards
Michael

2 Likes

Hi @MClasen and welcome to the LE community forum :slight_smile:

I think (it might be possible) that the IP of the UTM may have gotten blocked.
If you can provide it, @lestaff might be able to check on that for you.

2 Likes

Hello @rg305, thank you very much.

We have a lot of IP's with corresponding Certificates. I will try to submit as best as I can:

130.193.116.240/28
62.153.236.26/29
193.159.223.2/29

Is it possible that the whole bunch is blocked?

The inital request from the UTM tried to open an account should originate from 46.30.119.16.

1 Like

None of these IPs are being blocked.

3 Likes

Sounds like you may need to speak with the Sophos people about this one.
:frowning:

3 Likes

@MClasen I do not know Sophos UTM at all but I have an idea ...

On/about Oct 1 the LE servers at acme-v02.api.letsencrypt.org starting sending a new certificate chain. Before that day they used the "long chain" but now use the "short chain".

Perhaps Sophos detected the change and is blocking access as it looks suspicious? I agree with @rg305 that it seems more fruitful to discuss with the Sophos community. Just thought this bit of info would be helpful to you.

I saw various posts at Sophos community about server error 500's that seemed to be caused by Sophos and were not simply pass-thru errors from the target server.

More on the chains:

5 Likes

Thanks for the help you all. As @rg305 mentioned I've contaced our sophos partner with no avail.
Today I found the right answer in the german UTM Forum:
https://community.sophos.com/utm-firewall/f/german-forum/130581/erneuerung-let-s-encrypt-zertifikat-funktioniert-nicht-mehr/479863#479863

Deleting the ISRG X1 root certificate solved the problem for me. Thank you all.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.