Sophos UTM cert fails

My domain is: clefus.homeip.net

I ran this command: New Cert and Retry. See below for log but here is a snippet:
2024:03:26-19:38:03 letsencrypt[27901]: I Renew certificate: running command: /var/storage/chroot-reverseproxy/usr/dehydrated/bin/dehydrated -x -f /var/storage/chroot-

It produced this output:
This is a partial output - trying not to post security / token etc info.

2024:03:26-19:48:03 letsencrypt[30564]: I Renew certificate: handling CSR REF_CaCsrCertletsen for domain set [clefus.homeip.net]

2024:03:26-19:48:03 letsencrypt[30564]: I Renew certificate: running command: /var/storage/chroot-reverseproxy/usr/dehydrated/bin/dehydrated -x -f /var/storage/chroot-reverseproxy/usr/dehydrated/conf/config -c --accept-terms --domain clefus.homeip.net
2024:03:26-19:48:11 letsencrypt[30564]: I Renew certificate: command completed with exit code 256
2024:03:26-19:48:11 letsencrypt[30564]: E Renew certificate: COMMAND_FAILED: ERROR: Challenge is invalid! (returned: invalid) (result: ["type"] "http-01"
2024:03:26-19:48:11 letsencrypt[30564]: E Renew certificate: COMMAND_FAILED: ["status"] "invalid"
2024:03:26-19:48:11 letsencrypt[30564]: E Renew certificate: COMMAND_FAILED: ["error","type"] "urn:ietf:params:acme:error:connection"
2024:03:26-19:48:11 letsencrypt[30564]: E Renew certificate: COMMAND_FAILED: ["error","status"] 400
2024:03:26-19:48:11 letsencrypt[30564]: I Renew certificate: sending notification WARN-603
2024:03:26-19:48:11 letsencrypt[30564]: [WARN-603] Let's Encrypt certificate renewal failed accessing Let's Encrypt service
2024:03:26-19:48:11 letsencrypt[30564]: I Renew certificate: execution completed (CSRs renewed: 0, failed: 1)

My web server is (include version): Sophos UTM 9.718-5

The operating system my web server runs on is (include version): See above.

I can login to a root shell on my machine (yes or no, or I don't know): Yes - prefer not to for this...but can.

I have searched google, this forum, Sophos' forum and found both similar and different instances of this issue. I have tried creating an exception in web filtering, disabling (temporarily) country blocking, and much more....so far no luck in establishing the cert. I have an identical setup, with a similar dyn.dns domain at another location - have reviewed settings/compared and they seem to be the same. It was able to grab a certificate. I have also tried disabling the Let's Encrypt service and re-enabling. The only difference between the successful config and this one is which physical interface - although all the rules/config take this into account - which physical interface should not matter. It is acting as the WAN port just like the other physical port on the other device. I have also checked the CA's on the device and do not believe that is the issue.

Trying to get this cert on the actual sophos device, not a server behind it.

Thank you in advance for your help!

Hello @clefus, welcome to the Let's Encrypt community. :slightly_smiling_face:

You do not want the server responding this way; "HTTP/1.1 501 Not Implemented". :frowning:

$ curl -Ii http://clefus.homeip.net/.well-known/acme-challenge/sometestfile
HTTP/1.1 501 Not Implemented
Content-Type: text/html
Connection: close

And using the online tool Let's Debug yields these results https://letsdebug.net/clefus.homeip.net/1848642

ANotWorking
ERROR
clefus.homeip.net has an A (IPv4) record (184.19.213.21) but a request to this address over port 80 did not succeed. Your web server must have at least one working IPv4 or IPv6 address.
Get "http://clefus.homeip.net/.well-known/acme-challenge/letsdebug-test": EOF

Trace:
@0ms: Making a request to http://clefus.homeip.net/.well-known/acme-challenge/letsdebug-test (using initial IP 184.19.213.21)
@0ms: Dialing 184.19.213.21
@286ms: Experienced error: EOF
IssueFromLetsEncrypt
ERROR
A test authorization for clefus.homeip.net to the Let's Encrypt staging service has revealed issues that may prevent any certificate for this domain being issued.
184.19.213.21: Fetching http://clefus.homeip.net/.well-known/acme-challenge/ucLiAR8Hfo_sotJ0pqmtPfaiOSHmwisNajU6OJf5XUo: Error getting validation data

And trying using Firefox I see:

Kindly wait for more knowledgeable Let's Encrypt community volunteers to assist.

4 Likes

Thank you @Bruce5051 !

I did not realize that my modem/ONT was intercepting. Your reply helped me solve the issue and I am now good to go!

Thanks again!

4 Likes

You are welcome @clefus !
Have a pleasant day. :slight_smile:

3 Likes