Hi Team,
I'm trying to request a Let's Encrypt certificate using my Sophos firewall, but I'm running into a persistent issue and could use some guidance.
Setup:
- I have two upstream devices before the Sophos firewall.
- Both upstream devices have port 80 and 443 open and forwarded correctly to the firewall.
- I'm using a DDNS domain:
kakarotto.ddns.net.
- The certificate request is made directly from the Sophos firewall.
Issue:
The certificate request fails with the following error:
"type": "urn:ietf:params:acme:error:connection",
"detail": "122.177.224.68: Fetching http://kakarotto.ddns.net/.well-known/acme-challenge/CC8uPG-XGWfmPiqb49a74SfrJDDi3wD6moeFhsmlWjU: Timeout during connect (likely firewall problem)",
"status": 400
Things I've already checked:
- Ports 80 and 443 are open on both upstream devices.
- Port forwarding rules seem to be set up correctly.
- I'm able to access other services hosted behind the firewall.
What I'm looking for:
- Any insights on why Let's Encrypt might not be able to reach the challenge file.
- Guidance on further diagnostics or steps to ensure the
.well-known/acme-challenge/ path is accessible externally.
- Whether Sophos requires any special configuration for web-based challenges (HTTP-01).
Thanks in advance for your help!
First get your sophos firewall to serve anything on port 80, even a 404, externally (tested from an external network like your phone data, not over wifi etc). Does your ISP definitely support port 80?
1 Like
Hi @webprofusion,
Thank you so much for the reply.
On the Sophos firewall, port 80 is working well. I've temporarily configured another service on Port 80, and it was working well; however, with Let's Encrypt, I'm facing an issue.
If other services are working fine, then it indicates that the ISP definitely supports port 80.
Thank you.
Adding to my previous info.
Can you please let me know which is the protocol for the port 80. Is it UDP port or TCP Port ??
The HTTP challenge inbound to you on port 80 is TCP
Should something be replying to HTTP port 80 requests now? Because I don't see it working from the public internet: Check website performance and response : Check host - online website monitoring
3 Likes
Hi @MikeMcQ,
For testing, I've hosted a website behind the Sophos firewall on Port 80 to validate if the port is blocked however, for now that specific configuration is removed because it may conflict with Let's Encrypt.
As long as you confirmed that HTTP requests from anywhere in the world could reach that test website that part should be fine.
When Sophos asks Let's Encrypt server for a certificate the LE Server sends HTTP requests to your domain to prove your control of that domain. It is that LE request to you that is timing out.
I don't know enough about Sophos' ACME setup to help. But, have you tried posting on the Sophos community?
The "timeout" error isn't anything wrong in LE (well, very rarely temporary comms problems occur). These are almost always something in your system blocking the LE request.
2 Likes
Hi @MikeMcQ,
Thank you for the clarification and explanation regarding the Let's Encrypt certificate issuance process. It really helped me understand how the ACME challenge works and where to look for potential issues.
I’d like to confirm that the issue is now resolved.
I’m one of the engineers working at Sophos, and this setup was in our lab environment for testing purposes. I’ve previously installed Let’s Encrypt certificates successfully in this environment but recently ran into a timeout issue during the HTTP challenge.
After thoroughly testing everything I could on my end and not finding anything obviously wrong, I reached out here for help. Based on your explanation about how Let’s Encrypt needs to validate control of the domain via HTTP, I reviewed our firewall configuration again — and that’s where I found the root cause.
It turned out that there was a NAT rule configured on our Sophos firewall that was forwarding HTTP (port 80) traffic to a different internal server; port 80 was hiding behind a host configured with the name of RDP.
Due to this, I never suspected that the issue was with the NAT rule. This NAT rule was overriding the correct routing needed for the Let's Encrypt validation. Also, as I've mentioned earlier, the other service was working on Port 80 because I configured another NAT rule, which was configured for another server. Due to the firewall's behavior, it was working because it was traffic for the host; however, in the case of the firewall's traffic, things are different.
After correcting the NAT configuration and ensuring port 80 traffic reaches the correct internal host for the ACME challenge, the certificate was issued successfully, and everything is working as expected now.
Thanks again for your help and for pointing me in the right direction.
2 Likes