GFI Software

Welcome to the GFI Software community forum! For support please open a ticket from https://support.gfi.com.

Home » GFI User Forums » Kerio Connect » Kerio connect 9.4 new Let's encrypt certificate error (Failed to issue LetsEncrypt certificate: Failure / timeout verifying challenge passed)
icon4.gif  Kerio connect 9.4 new Let's encrypt certificate error [message #150952] Wed, 26 January 2022 11:31 Go to next message
diegom is currently offline  diegom
Messages: 5
Registered: January 2022
Hi everyone...
I can't generate the certificate and I get the following error message:
Failed to issue LetsEncrypt certificate: Failure / timeout verifying challenge passed

I checked my firewall for necessary ports and tested my domain on "https://letsdebug.net/" positively.
can someone help me?
Thankyou
Diego
Re: Kerio connect 9.4 new Let's encrypt certificate error [message #150953 is a reply to message #150952] Wed, 26 January 2022 12:50 Go to previous messageGo to next message
srazvan is currently offline  srazvan
Messages: 9
Registered: September 2021
Hi Diego,

The domain used for certificate generation has to be publicly accessible via HTTP.

Per community chatter in Let's Encrypt, port 80 is required to be open, to verify http://letsdebug.net/.
I see your domain has a 307 internal redirect to https, of which internal could be an issue, but the GFI support team can help troubleshoot. If you haven't already opened a support ticket: https://support.kerioconnect.gfi.com/hc/en-us


GFI Customer Support Edge Team
Re: Kerio connect 9.4 new Let's encrypt certificate error [message #150959 is a reply to message #150953] Thu, 27 January 2022 08:29 Go to previous messageGo to next message
diegom is currently offline  diegom
Messages: 5
Registered: January 2022
Hi srazvan

Thankyou for answer...

My port 80 to my mail server is open and verification with http://letsdebug.net/ is Ok.
About 307 internal redirect i think it is set by my provider....
Re: Kerio connect 9.4 new Let's encrypt certificate error [message #150969 is a reply to message #150959] Sat, 29 January 2022 05:43 Go to previous messageGo to next message
bigmountain is currently offline  bigmountain
Messages: 64
Registered: April 2006

Are you forcing TLS encryption? I wonder if maybe that is doing anything? Try temporarily disabling it then attempt to add the certificate. I haven't tried it, just brainstorming for possibilities.

Preferred Kerio Partner and Cloud Solutions Provider - Offering both shared and dedicated Kerio Connect hosting solutions.
Visit us at http://bigmountainmail.com
Re: Kerio connect 9.4 new Let's encrypt certificate error [message #150971 is a reply to message #150969] Sat, 29 January 2022 15:37 Go to previous messageGo to next message
dbosiljevac is currently online  dbosiljevac
Messages: 14
Registered: April 2015
Check your settings under Security --> Security Policy. If it says "Require encryption" change it to "No restrictions". I found it didn't work when I had it forcing encryption, but worked fine when it was disabled.

I'm not keen on having the ability for people to log into webmail through HTTP and would much rather people get redirected to HTTPS, but I get why they need to do it for LetsEncrypt.
Re: Kerio connect 9.4 new Let's encrypt certificate error [message #150972 is a reply to message #150969] Sat, 29 January 2022 21:47 Go to previous messageGo to next message
Seeds is currently offline  Seeds
Messages: 3
Registered: January 2022
Hi,

Users may have to make a few changes to their Kerio Connect installation in order to use Kerio Connect's new Let's Encrypt ACME client to receive, auto install and update Let's Encrypt certificates.


    1. Make sure the firewall has port 80 open and directing traffic to the Kerio Connect server. Also, make sure that port 80 traffic is being forwarded to the correct IP if Kerio Connect is bound to a specific IP or network card. In addition, make sure no other software on the Kerio Connect server is listening on port 80 using the same network card/IP address as Kerio Connect.
    2. Make sure Kerio Connect is listening on Port 80. The HTTP service should be running on Port 80. Go to Configuration > Services > HTTP should have "All addresses:80" listed. You can set the service to run automatically to help Kerio Connect's Let's Encrypt ACME client renew the certificate.
    3. Kerio Connect' Security policy has to be set to "No restriction." Go to Configuration > Security > Security Policy. Making this changes does not mean all connections are insecure. Connections can still be negotiated to use TLS, but Kerio Connect will accept non-encrypted traffic when the security policy is set to "No restriction."
Once Kerio is set-up, Let's Encrypt certificates install in about 2-3 seconds. But as with all features, there could be some issues.

Point three can be an issue for some installations of Kerio Connect. Some Kerio Connect administrators encrypt all traffic to Kerio Connect. When Let's Encrypt makes the connection on port 80 (unencrypted), Kerio will redirect the connection to HTTPS (port 443/8843). Meanwhile Kerio Connect's Let's Encrypt ACME client will still be listening on port 80. Eventually, the connection is never received. This can be observed in the debug log. Users could keep the security policy set to encrypted, then change the security policy to "no restriction" on the day Let's Encrypt needs to renew. However, this is not practical in many settings. It is better to bind the Kerio installation to a specific network card in the server or virtualize the installation.

Point 2 can be an issue for small businesses who have one bare metal server with multiple instances of server software installed. For instance, if a small business has Kerio Connect and IIS installed on one bare metal server with one network card, IIS is usually listening on port 80, making it impossible for Kerio Connect to listen on port 80. Kerio Connect's Let's Encrypt client will not be able to listen on port 80 as well. This problem can be mitigated by binding the server software to different network interfaces or virtualizing software installations, which most small business without full-time IT staff are unwilling or unable to do.

In future updates, I would like Kerio Connect to offer different Let's Encrypt challenges (such as DNS) to help solve the aforementioned issues.
Re: Kerio connect 9.4 new Let's encrypt certificate error [message #150982 is a reply to message #150972] Mon, 31 January 2022 15:17 Go to previous messageGo to next message
diegom is currently offline  diegom
Messages: 5
Registered: January 2022
Hi,

Thank you for the help
In my case the problem was Security Encryption, after set to "No restriction" the certificate was successfully generated.

Re: Kerio connect 9.4 new Let's encrypt certificate error [message #150986 is a reply to message #150972] Tue, 01 February 2022 08:55 Go to previous messageGo to next message
boisbleu is currently offline  boisbleu
Messages: 60
Registered: May 2015
Seeds wrote on Sat, 29 January 2022 21:47

3. Kerio Connect' Security policy has to be set to "No restriction." Go to Configuration > Security > Security Policy. Making this changes does not mean all connections are insecure. Connections can still be negotiated to use TLS, but Kerio Connect will accept non-encrypted traffic when the security policy is set to "No restriction."
Are you sure? These are my settings and as I remember I don't change them in the last 2 years.

[Updated on: Tue, 01 February 2022 08:59]

Report message to a moderator

Re: Kerio connect 9.4 new Let's encrypt certificate error [message #150991 is a reply to message #150986] Tue, 01 February 2022 17:14 Go to previous messageGo to next message
Seeds is currently offline  Seeds
Messages: 3
Registered: January 2022
boisbleu wrote on Tue, 01 February 2022 08:55
Seeds wrote on Sat, 29 January 2022 21:47

3. Kerio Connect' Security policy has to be set to "No restriction." Go to Configuration > Security > Security Policy. Making this changes does not mean all connections are insecure. Connections can still be negotiated to use TLS, but Kerio Connect will accept non-encrypted traffic when the security policy is set to "No restriction."
Are you sure? These are my settings and as I remember I don't change them in the last 2 years.
If you want to use Let's Encrypt's ACME client in Kerio version 9.4.0, then Kerio Connect's Security Policy has to be set to "No restriction," just as others in this thread discovered. When Kerio Connect's security policy is set to "Required Encryption or Secure Authorization" incoming requests are automatically forwarded to whatever secure port is set in services (i.e. port 443/8843). You can read this behavior in the Debug log. Let's Encrypt's ACME client in Kerio Connect 9.4.0 only has the HTTP challenge, which is an insecure port (i.e port 80/8880). Requiring Encryption or Secure authorization while divert the HTTP challenge to a secure port while the Let's Encrypt Acme client will listen on an insecure port. Thus, Let's Encrypt's ACME client will never receive any communication and no certificate.
Re: Kerio connect 9.4 new Let's encrypt certificate error [message #150993 is a reply to message #150986] Tue, 01 February 2022 22:56 Go to previous messageGo to next message
dbosiljevac is currently online  dbosiljevac
Messages: 14
Registered: April 2015
I think where my LetsEcnrypt renewals are getting hung up is on the redirect. I have both 443 and 8843 open (for ActiveSync) and, for some reason, my redirect goes to 8843 whenever I go to the unsecured login page with "Require encrypted connection" turned on. I believe LetsEncrypt supports being redirected to 443, but not to 8843. I'm not sure if there's a way to force a redirection to 443.
Re: Kerio connect 9.4 new Let's encrypt certificate error [message #151000 is a reply to message #150991] Wed, 02 February 2022 15:06 Go to previous messageGo to next message
boisbleu is currently offline  boisbleu
Messages: 60
Registered: May 2015
Seeds wrote on Tue, 01 February 2022 17:14
Let's Encrypt's ACME client in Kerio Connect 9.4.0 only has the HTTP challenge, which is an insecure port (i.e port 80/8880). Requiring Encryption or Secure authorization while divert the HTTP challenge to a secure port while the Let's Encrypt Acme client will listen on an insecure port. Thus, Let's Encrypt's ACME client will never receive any communication and no certificate.
I think you'r wrong. These settings are relevant to the mail communication only. These settings have nothing to do with the certificate.

Re: Kerio connect 9.4 new Let's encrypt certificate error [message #151002 is a reply to message #150993] Wed, 02 February 2022 23:09 Go to previous messageGo to next message
Seeds is currently offline  Seeds
Messages: 3
Registered: January 2022
dbosiljevac wrote on Tue, 01 February 2022 22:56
I think where my LetsEcnrypt renewals are getting hung up is on the redirect. I have both 443 and 8843 open (for ActiveSync) and, for some reason, my redirect goes to 8843 whenever I go to the unsecured login page with "Require encrypted connection" turned on. I believe LetsEncrypt supports being redirected to 443, but not to 8843. I'm not sure if there's a way to force a redirection to 443.
If you are only using port 443 for Kerio Connect and not IIS or anything else on the same server installation, then you can remove 8843 from the Kerio Connect services and only use 443 for ActiveSync and secure webmail. Then, Let's Encrypt should be redirected successfully to port 443.

Also, you can try removing Port 443 and 8843 from Kerio Connect services, then add 443 and 8843 in that order so that 443 is listed first. Restart the HTTPS service and see if 443 is now the default HTTPS port. If it is, then the redirect to HTTPS should work with Let's Encrypt ACME client in Kerio Connect 9.4.0.
Re: Kerio connect 9.4 new Let's encrypt certificate error [message #151008 is a reply to message #151002] Thu, 03 February 2022 14:45 Go to previous messageGo to next message
dbosiljevac is currently online  dbosiljevac
Messages: 14
Registered: April 2015
Hey there, thanks for the removing/adding tip. I actually ended up doing that a few days ago and now 443 shows up before 8843 in my secure HTTP service. It looks like LetsEncrypt is now issuing certificates while getting redirected to port 443. Definitely prefer having the setting to redirect http to https enabled on my server.
Re: Kerio connect 9.4 new Let's encrypt certificate error [message #151452 is a reply to message #151008] Fri, 15 April 2022 01:02 Go to previous messageGo to next message
DataSmith is currently offline  DataSmith
Messages: 8
Registered: March 2013
If the security policy is set to to Require Encrypted Connection why not also choose to allow unencrypted connections from an IP address list to include the Let's Encrypt servers?
Wouldn't that solve the problem - assuming we can figure out the relevant IP addresses?
Re: Kerio connect 9.4 new Let's encrypt certificate error [message #152714 is a reply to message #151452] Tue, 20 September 2022 17:41 Go to previous message
cmharley is currently offline  cmharley
Messages: 3
Registered: September 2022
Unfortunately Let'sEncrypt will not give out those IP addresses. I would also like to see an alternate means for the challenge such at the DNS TXT record option.
Previous Topic: 9.4.2 als Trial. Bekomme keine Mails
Next Topic: Lets encrypt renewal time
Goto Forum:
  


Current Time: Tue Sep 27 17:40:30 CEST 2022

Total time taken to generate the page: 0.03004 seconds