So, I have a bunch of web servers on my DMZ that are natted externally with static IPs on my UTM using the classic DNAT/SNAT rules. It all works well except when I generate a new let's encrypt certificate or I try to renew an existing one (either manually or allowing the UTM to do its automatic bit). The only way out that I have been able to master so far is to manually disable the DNAT/SNAT rules, force a manual renew (which works) and then re-enable DNAT/SNAT until next time. Has anyone have gone through a similar issue? What am I doing wrong/not doing? (No, I do not use country blocking, and yes port 80 and 443 are open on the firewall rules). Below is a sample of the log, I'll appreciate any advice.
2021:02:04-16:59:02 spot letsencrypt[17115]: I Renew certificate: handling CSR REF_CaCsrCloudLetsEncry for domain set [cloud.wolf-net.net]
2021:02:04-16:59:02 spot letsencrypt[17115]: I Renew certificate: running command: /var/storage/chroot-reverseproxy/usr/dehydrated/bin/dehydrated -x -f /var/storage/chroot-reverseproxy/usr/dehydrated/conf/config -c --accept-terms --domain cloud.wolf-net.net
2021:02:04-16:59:19 spot letsencrypt[17115]: I Renew certificate: command completed with exit code 256
2021:02:04-16:59:19 spot letsencrypt[17115]: E Renew certificate: COMMAND_FAILED: ERROR: Challenge is invalid! (returned: invalid) (result: {
2021:02:04-16:59:19 spot letsencrypt[17115]: E Renew certificate: COMMAND_FAILED: "type": "http-01",
2021:02:04-16:59:19 spot letsencrypt[17115]: E Renew certificate: COMMAND_FAILED: "status": "invalid",
2021:02:04-16:59:19 spot letsencrypt[17115]: E Renew certificate: COMMAND_FAILED: "error": {
2021:02:04-16:59:19 spot letsencrypt[17115]: E Renew certificate: COMMAND_FAILED: "type": "urn:ietf:params:acme:error:unauthorized",
2021:02:04-16:59:19 spot letsencrypt[17115]: E Renew certificate: COMMAND_FAILED: "detail": "Invalid response from cloud.wolf-net.net/.../cX6EwyD4dC1c_C3DzEtIvToUsHDJ-DxoCyztLCdPRwQ [72.68.34.119]: \"\u003c!DOCTYPE HTML PUBLIC \\\"-//IETF//DTD HTML 2.0//EN\\\"\u003e\\n\u003chtml\u003e\u003chead\u003e\\n\u003ctitle\u003e404 Not Found\u003c/title\u003e\\n\u003c/head\u003e\u003cbody\u003e\\n\u003ch1\u003eNot Found\u003c/h1\u003e\\n\u003cp\"",
2021:02:04-16:59:19 spot letsencrypt[17115]: E Renew certificate: COMMAND_FAILED: "status": 403
2021:02:04-16:59:19 spot letsencrypt[17115]: E Renew certificate: COMMAND_FAILED: },
2021:02:04-16:59:19 spot letsencrypt[17115]: E Renew certificate: COMMAND_FAILED: "url": "">acme-v02.api.letsencrypt.org/.../vlRIpQ",
2021:02:04-16:59:19 spot letsencrypt[17115]: E Renew certificate: COMMAND_FAILED: "token": "cX6EwyD4dC1c_C3DzEtIvToUsHDJ-DxoCyztLCdPRwQ",
2021:02:04-16:59:19 spot letsencrypt[17115]: E Renew certificate: COMMAND_FAILED: "validationRecord": [
2021:02:04-16:59:19 spot letsencrypt[17115]: E Renew certificate: COMMAND_FAILED: {
2021:02:04-16:59:19 spot letsencrypt[17115]: E Renew certificate: COMMAND_FAILED: "url": "">cloud.wolf-net.net/.../cX6EwyD4dC1c_C3DzEtIvToUsHDJ-DxoCyztLCdPRwQ",
2021:02:04-16:59:19 spot letsencrypt[17115]: E Renew certificate: COMMAND_FAILED: "hostname": "cloud.wolf-net.net",
2021:02:04-16:59:19 spot letsencrypt[17115]: E Renew certificate: COMMAND_FAILED: "port": "80",
2021:02:04-16:59:19 spot letsencrypt[17115]: E Renew certificate: COMMAND_FAILED: "addressesResolved": [
2021:02:04-16:59:19 spot letsencrypt[17115]: E Renew certificate: COMMAND_FAILED: "72.68.34.119"
2021:02:04-16:59:19 spot letsencrypt[17115]: E Renew certificate: COMMAND_FAILED: ],
2021:02:04-16:59:19 spot letsencrypt[17115]: E Renew certificate: COMMAND_FAILED: "addressUsed": "72.68.34.119"
2021:02:04-16:59:19 spot letsencrypt[17115]: E Renew certificate: COMMAND_FAILED: }
2021:02:04-16:59:19 spot letsencrypt[17115]: E Renew certificate: COMMAND_FAILED: ]
2021:02:04-16:59:19 spot letsencrypt[17115]: E Renew certificate: COMMAND_FAILED: })
2021:02:04-16:59:20 spot letsencrypt[17115]: I Renew certificate: sending notification WARN-603
2021:02:04-16:59:20 spot letsencrypt[17115]: [WARN-603] Let's Encrypt certificate renewal failed accessing Let's Encrypt service
2021:02:04-16:59:20 spot letsencrypt[17115]: I Renew certificate: execution completed (CSRs renewed: 0, failed: 1)
This thread was automatically locked due to age.
