Sophos UTM - Renew wildcard fails

waldhonig · March 3, 2023, 10:47am

Hello Community,

our Sophos UTM v. 9.714-4 worked fine until 2 weeks ago.
The update to renew our wildcard-certificate fails.
Below the log. I have already tried several ways, but it no longer works.
Does anyone know what the error could be ?

Note: as had tried it as wildcard as well with the individual subdomains.

2023:03:03-11:23:02 mail-1 letsencrypt[14080]: I Renew certificate: handling CSR REF_CaCsrWildcardsc for domain set [all subdomains that should be included in the certificate]
2023:03:03-11:23:02 mail-1 letsencrypt[14080]: I Renew certificate: running command: /var/storage/chroot-reverseproxy/usr/dehydrated/bin/dehydrated -x -f /var/storage/chroot-reverseproxy/usr/dehydrated/conf/config -c --accept-terms --domain --domain mysub.domain.net
2023:03:03-11:24:01 mail-1 letsencrypt[18497]: E Renew certificate: aborting, failed to acquire an exclusive lock: Resource temporarily unavailable
2023:03:03-11:24:50 mail-1 letsencrypt[14080]: I Renew certificate: command completed with exit code 256
2023:03:03-11:24:50 mail-1 letsencrypt[14080]: E Renew certificate: COMMAND_FAILED: ERROR: Challenge is invalid! (returned: invalid) (result: ["type"] "http-01"
2023:03:03-11:24:50 mail-1 letsencrypt[14080]: E Renew certificate: COMMAND_FAILED: ["status"] "invalid"
2023:03:03-11:24:50 mail-1 letsencrypt[14080]: E Renew certificate: COMMAND_FAILED: ["error","type"] "urn:ietf:params:acme:error:unauthorized"
2023:03:03-11:24:50 mail-1 letsencrypt[14080]: E Renew certificate: COMMAND_FAILED: ["error","detail"] "195.20.225.163: Invalid response from https://autodiscover.1and1.info/Autodiscover/Autodiscover.xml: 405"
2023:03:03-11:24:50 mail-1 letsencrypt[14080]: E Renew certificate: COMMAND_FAILED: ["error","status"] 403
2023:03:03-11:24:50 mail-1 letsencrypt[14080]: E Renew certificate: COMMAND_FAILED: ["error"] {"type":"urn:ietf:params:acme:error:unauthorized","detail":"195.20.225.163: Invalid response from https://autodiscover.1and1.info/Autodiscover/Autodiscover.xml: 405","status":403}
2023:03:03-11:24:50 mail-1 letsencrypt[14080]: E Renew certificate: COMMAND_FAILED: ["url"] "https://acme-v02.api.letsencrypt.org/acme/chall-v3/207844815786/iq04ZA"
2023:03:03-11:24:50 mail-1 letsencrypt[14080]: E Renew certificate: COMMAND_FAILED: ["token"] "Y_iPh5mIectU8pYuRgOaUVaWV95_ApICGnFApGhLkeU"
2023:03:03-11:24:50 mail-1 letsencrypt[14080]: E Renew certificate: COMMAND_FAILED: ["validationRecord",0,"url"] "http://autodiscover.our-domain.net/.well-known/acme-challenge/Y_iPh5mIectU8pYuRgOaUVaWV95_ApICGnFApGhLkeU"
2023:03:03-11:24:50 mail-1 letsencrypt[14080]: E Renew certificate: COMMAND_FAILED: ["validationRecord",0,"hostname"] "autodiscover.our-domain.net"
2023:03:03-11:24:50 mail-1 letsencrypt[14080]: E Renew certificate: COMMAND_FAILED: ["validationRecord",0,"port"] "80"
2023:03:03-11:24:50 mail-1 letsencrypt[14080]: E Renew certificate: COMMAND_FAILED: ["validationRecord",0,"addressesResolved",0] "195.20.225.163"
2023:03:03-11:24:50 mail-1 letsencrypt[14080]: E Renew certificate: COMMAND_FAILED: ["validationRecord",0,"addressesResolved"] ["195.20.225.163"]
2023:03:03-11:24:50 mail-1 letsencrypt[14080]: E Renew certificate: COMMAND_FAILED: ["validationRecord",0,"addressUsed"] "195.20.225.163"
2023:03:03-11:24:50 mail-1 letsencrypt[14080]: E Renew certificate: COMMAND_FAILED: ["validationRecord",0] {"url":"http://autodiscover.our-domain.net/.well-known/acme-challenge/Y_iPh5mIectU8pYuRgOaUVaWV95_ApICGnFApGhLkeU","hostname":"autodiscover.our-domain.net","port":"80","addressesResolved":["195.20.225.163"],"addressUsed":"195.20.225.163"}
2023:03:03-11:24:50 mail-1 letsencrypt[14080]: E Renew certificate: COMMAND_FAILED: ["validationRecord",1,"url"] "https://autodiscover.1and1.info/Autodiscover/Autodiscover.xml"
2023:03:03-11:24:50 mail-1 letsencrypt[14080]: E Renew certificate: COMMAND_FAILED: ["validationRecord",1,"hostname"] "autodiscover.1and1.info"
2023:03:03-11:24:50 mail-1 letsencrypt[14080]: E Renew certificate: COMMAND_FAILED: ["validationRecord",1,"port"] "443"
2023:03:03-11:24:50 mail-1 letsencrypt[14080]: E Renew certificate: COMMAND_FAILED: ["validationRecord",1,"addressesResolved",0] "195.20.225.162"
2023:03:03-11:24:50 mail-1 letsencrypt[14080]: E Renew certificate: COMMAND_FAILED: ["validationRecord",1,"addressesResolved"] ["195.20.225.162"]
2023:03:03-11:24:50 mail-1 letsencrypt[14080]: E Renew certificate: COMMAND_FAILED: ["validationRecord",1,"addressUsed"] "195.20.225.162"
2023:03:03-11:24:50 mail-1 letsencrypt[14080]: E Renew certificate: COMMAND_FAILED: ["validationRecord",1] {"url":"https://autodiscover.1and1.info/Autodiscover/Autodiscover.xml","hostname":"autodiscover.1and1.info","port":"443","addressesResolved":["195.20.225.162"],"addressUsed":"195.20.225.162"}
2023:03:03-11:24:50 mail-1 letsencrypt[14080]: E Renew certificate: COMMAND_FAILED: ["validationRecord"] [{"url":"http://autodiscover.our-domain.net/.well-known/acme-challenge/Y_iPh5mIectU8pYuRgOaUVaWV95_ApICGnFApGhLkeU","hostname":"autodiscover.our-domain.net","port":"80","addressesResolved":["195.20.225.163"],"addressUsed":"195.20.225.163"},{"url":"https://autodiscover.1and1.info/Autodiscover/Autodiscover.xml","hostname":"autodiscover.1and1.info","port":"443","addressesResolved":["195.20.225.162"],"addressUsed":"195.20.225.162"}]
2023:03:03-11:24:50 mail-1 letsencrypt[14080]: E Renew certificate: COMMAND_FAILED: ["validated"] "2023-03-03T10:24:47Z")
2023:03:03-11:24:51 mail-1 letsencrypt[14080]: I Renew certificate: sending notification WARN-603
2023:03:03-11:24:51 mail-1 letsencrypt[14080]: [WARN-603] Let's Encrypt certificate renewal failed accessing Let's Encrypt service
2023:03:03-11:24:51 mail-1 letsencrypt[14080]: I Renew certificate: execution completed (CSRs renewed: 0, failed: 1)

rg305 · March 3, 2023, 11:19am

Hi @waldhonig , and welcome to the LE community forum

I don't know dehydrated... maybe that is a clue.

That definitely looks like a clue.

Without the information from the initial questionnaire we are left with only the use of

Reconsider...

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Bruce5051 · March 3, 2023, 3:18pm

I looks like you are using the HTTP-01 Challenge, yet only DNS-01 Challenge can be used to issue certificates containing wildcard domain names.

Bruce5051 · March 3, 2023, 4:01pm

Port 443 is closed

$ nmap -Pn autodiscover.<redacted>.net
Starting Nmap 7.80 ( https://nmap.org ) at 2023-03-03 15:43 UTC
Nmap scan report for autodiscover.<redacted>.net (195.20.225.163)
Host is up (0.17s latency).
rDNS record for 195.20.225.163: adsredir.1and1.info
Not shown: 998 filtered ports
PORT    STATE  SERVICE
80/tcp  open   http
443/tcp closed https

Nmap done: 1 IP address (1 host up) scanned in 13.79 seconds

hagman · March 4, 2023, 4:00pm

I've had problems with the Sophos + LetsEncrypt combo as well, in the very early days of LE. What I did was to request the certs from another box and use Sophos RESTful API to update the certificate objects on the UTM.
Since then, Sophos has added and improved their LE implementation significantly and it probably works fine for most, but not for all scenarios. My show-stopper is that I wanted to have a cert for for SMTP services and that is why I still stick with my setup. It seems that your wildcard (like my smtp) cert requires dns-01 instead of http-01 and thus probably cannot be handled by the UTM itself (Or can it? I am not aware of UTM being able to manipulate your public DNS records, but I may be wrong).

If the above turns out to be the problem at hand, I might try to go through my system and flesh out the solution a bit more.

Bruce5051 · March 5, 2023, 1:20am

Still seeing Port 80 (open) being redirected to Port 443 (closed) for the HTTP-01 Challenge (which I still believe is the wrong challenge to use since the title mentioned wildcard and that would need DNS-01 Challenge).

$ curl -Ii http://autodiscover.<redacted>.net/.well-known/acme-challenge/sometestfile
HTTP/1.1 302 Found
Date: Sun, 05 Mar 2023 01:14:57 GMT
Server: Apache/2.4.38 (Debian)
Location: https://autodiscover.1and1.info/Autodiscover/Autodiscover.xml
Content-Type: text/html; charset=iso-8859-1

$ nmap -Pn autodiscover.<redacted>.net
Starting Nmap 7.80 ( https://nmap.org ) at 2023-03-05 01:15 UTC
Nmap scan report for autodiscover.<redacted>.net (195.20.225.163)
Host is up (0.17s latency).
rDNS record for 195.20.225.163: adsredir.1and1.info
Not shown: 998 filtered ports
PORT    STATE  SERVICE
80/tcp  open   http
443/tcp closed https

Nmap done: 1 IP address (1 host up) scanned in 12.31 seconds

rg305 · March 5, 2023, 9:57am

Name:     adsredir.1and1.info
Address:  195.20.225.163
Aliases:  autodiscover.[redacted].net

You won't be able to get a cert using HTTP-01 authentication from an IP you don't control.
What is the IP of your server?

waldhonig · March 6, 2023, 10:17am

Hello rg305,

the domain is *.schneider-holz.net with the IP 62.154.208.59

I have intentionally left the other items blank as the certificate renewal is created by the Sophos UTM Firewall.

rg305 · March 6, 2023, 1:59pm

The HTTPS error implies dehydrated is trying to obtain a cert for "autodiscover.your-domain" via HTTP-01 authentication and was redirected to HTTPS.

As shown by the DNS resolve:

It is impossible to validate that FQDN via HTTP-01 authentication.

Bruce5051 · March 6, 2023, 6:40pm

Supplemental information:

Here is a list of issued certificates https://crt.sh/?q=schneider-holz.net
image1537×563 27.3 KB
And here is what I presently see for DNS
image1096×668 10.2 KB

waldhonig · March 9, 2023, 4:30pm

Problem is fixed.
there was a public dns entry for autodiscover pointing to the provider's ip instead of our public ip.
After correcting that, i was able to run an http-01 challenge successfully.

What I don't understand myself is that the Sophos UTM doesn't support a wildcard at all!!.
Nevertheless, I have one in the certificate list, which just can not be renewed.
Here my predecessor has probably used some trick, but that's another story.

Thanks for your support

Bruce5051 · March 9, 2023, 4:41pm

Hi @waldhonig,

Not sure this is a good asnwer, but . . .

This is over 2 years old but states "While having a Certificate with multiple SAN's, by default the WAF will only pick the CN and give you an error for everything else."

system · April 8, 2023, 4:42pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Sophos UTM cert fails Help	4	659	April 26, 2024
Let's Encrypt on Sophos UTM does not work Help	7	6725	November 19, 2021
Let's Encrypt certificate unable to renew on Sophos UTM9 Help	5	1949	July 18, 2021
TOS problem with request/renewal Help	4	2023	March 17, 2022
Renewal failed after months of success for mail subdomains Help	3	1810	April 22, 2017

Sophos UTM - Renew wildcard fails

Related topics