Current Date:24 February, 2021

Generating Let’s Encrypt certificates on Aussie Broadband NBN

I was not able to generate a Let’s Encrypt Certificate on my Sophos UTM 9 at home on my Aussie Broadband NBN connection. I was scratching my head for quite a few hours as I wasn’t seeing any dropped packets on the firewall. I had the correct configuration but for some unknown reason, I couldn’t generate Let’s Encrypt certificates. After much digging through the logs, searching all corners of the internet, getting extremely frustrated, I finally managed to figure it out!

I kept seeing the following in the LET’S ENCRYPT LOGS

2019:10:27-04:00:00 UTM letsencrypt[12741]: E Renew certificate: COMMAND_FAILED:       "hostname": "UTM.yourdomain.com.au",
2019:10:27-04:00:00 UTM letsencrypt[12741]: E Renew certificate: COMMAND_FAILED:       "port": "80",
2019:10:27-04:00:01 UTM letsencrypt[12741]: I Renew certificate: sending notification WARN-603
2019:10:27-04:00:02 UTM letsencrypt[12741]: [WARN-603] Let's Encrypt certificate renewal failed accessing Let's Encrypt service
2019:10:27-04:00:02 UTM letsencrypt[12741]: I Renew certificate: execution completed (CSRs renewed: 0, failed: 1)
2019:10:27-14:05:06 UTM letsencrypt[669]: I Renew certificate: handling CSR REF_CaCsrLeUtm for domain set [UTM.yourdomain.com.au]
2019:10:27-14:05:51 UTM letsencrypt[669]: I Renew certificate: command completed with exit code 0

By default, Aussie Broadband blocks the following ports on its residential plans:

Outbound

TCP/25 (Except to our mail servers)

Inbound

  • TCP/80
  • TCP/443
  • TCP/25
  • UDP/135
  • UDP/137-139

Now I finally figured out I had two problems. Port 80 inbound was blocked and I was on their new GC-NAT or large-scale NAT network. I needed to go back to a IPv4 address and get port 80 unblocked.

When Let’s Encrypt tries to generate a certificate on the Sohos UTM 9, it temporarily acts as a web server. As Aussie Broadband blocks port 80, inbound packets were being dropped before they hit my firewall. This is why I wasn’t seeing any dropped packet logs on my UTM.

All I had to do was ask customer service to lift the block. They applied the settings to my account instantly and I was then able to generate the certificate. Aussie Broadband will only be able to unblock all the above ports rather than individually.

More information can be found on Aussie Broadband’s Port Blocking Page and CG-NAT page.

AussieBroadband Referal

If you’re looking to singup to AussieBroadband, use my referal code: 1493279 at the checkout and we will both get $50 credit.

SUPPORT ME!

If you’d like to support TECHmarC, or if you’re using an adblocker, I ask you to consider whitelisting my website.

The ads displayed on this site help go towards keeping the website alive. I know its a small ask but every little contribution helps! You can also support me by Buying me a Coffee!

 

Buy me a coffeeBuy me a coffee