I was not able to generate a Let’s Encrypt Certificate on my Sophos UTM 9 at home on my Aussie Broadband NBN connection. I was scratching my head for quite a few hours as I wasn’t seeing any dropped packets on the firewall. I had the correct configuration but for some unknown reason, I couldn’t generate Let’s Encrypt certificates. After much digging through the logs, searching all corners of the internet, getting extremely frustrated, I finally managed to figure it out!
I kept seeing the following in the LET’S ENCRYPT LOGS
2019:10:27-04:00:00 UTM letsencrypt: E Renew certificate: COMMAND_FAILED: "hostname": "UTM.yourdomain.com.au", 2019:10:27-04:00:00 UTM letsencrypt: E Renew certificate: COMMAND_FAILED: "port": "80", 2019:10:27-04:00:01 UTM letsencrypt: I Renew certificate: sending notification WARN-603 2019:10:27-04:00:02 UTM letsencrypt: [WARN-603] Let's Encrypt certificate renewal failed accessing Let's Encrypt service 2019:10:27-04:00:02 UTM letsencrypt: I Renew certificate: execution completed (CSRs renewed: 0, failed: 1) 2019:10:27-14:05:06 UTM letsencrypt: I Renew certificate: handling CSR REF_CaCsrLeUtm for domain set [UTM.yourdomain.com.au] 2019:10:27-14:05:51 UTM letsencrypt: I Renew certificate: command completed with exit code 0
By default, Aussie Broadband blocks the following ports on its residential plans:
TCP/25 (Except to our mail servers)
Now I finally figured out I had two problems. Port 80 inbound was blocked and I was on their new GC-NAT or large-scale NAT network. I needed to go back to a IPv4 address and get port 80 unblocked.
When Let’s Encrypt tries to generate a certificate on the Sohos UTM 9, it temporarily acts as a web server. As Aussie Broadband blocks port 80, inbound packets were being dropped before they hit my firewall. This is why I wasn’t seeing any dropped packet logs on my UTM.
All I had to do was ask customer service to lift the block. They applied the settings to my account instantly and I was then able to generate the certificate. Aussie Broadband will only be able to unblock all the above ports rather than individually.
If you’re looking to singup to AussieBroadband, use my referal code:
1493279 at the checkout and we will both get $50 credit.