Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

I am having issues with Lets Encrypt not able to update SSL Certificates on my Webserver.

2

Answers

  • johnnyzjohnnyz Newbie ✭
    edited December 2021

    I have been hosing these same sites for 20 plus years, same IP's, DNS etc...

    I have been using LE for a couple years now. Like I said all has been fine and this just started about 8 months ago. Just trying to figure out why. It can only be two things at this point, COX my service provider or the SonicWall. As nothing else has changed.

  • johnnyzjohnnyz Newbie ✭

    So I found a work around and not sure if this adds anything towards troubleshooting the issue.

    I can get Lets Encrypt to work every time while I am downloading files. For example I will start 3, 2GB files downloading and then run the Lets Encrypt test and script and it will work and pass every time, so what the heck is that all about?

  • prestonpreston Enthusiast ✭✭

    @johnnyz, when you created the NAT & Firewall rule did you use the Public Server Wizard? if so are you using the default WAN IP? if so delete the auto created by the Wizard outbound NAT policy from the server which is translated to the WAN IP,

    there was an issue recently with the SMA devices when behind the Firewall, when trying to sync licenses and download clients it wouldn't work, but if you disabled the Wizard created outbound NAT policy on the firewall it worked fine. this sounds like it could be similar issue

  • johnnyzjohnnyz Newbie ✭
    edited December 2021

    I didn't use the "Wizard" to do anything so can you please tell me more about this?

    And is SonicWall looking into fixing this issue?

  • AjishlalAjishlal Community Legend ✭✭✭✭✭

    Can you share us with your Firewall NAT & Firewall Access rule?

  • johnnyzjohnnyz Newbie ✭

    I have 31 NAT rules, what ones would you like me to send?

  • AjishlalAjishlal Community Legend ✭✭✭✭✭

    Which you created for your Webserver (NAT & Firewall Access Rule)

  • johnnyzjohnnyz Newbie ✭
    edited December 2021
  • johnnyzjohnnyz Newbie ✭

    Anyone?

    So it looks like this is starting to lean toward an issue with the SonicWall. And that makes 100% sense as this started after the Last Firmware update in March-May, cant remember the month. SONICWALL CAN YOU PLEASE HELP WITH THIS!

  • AjishlalAjishlal Community Legend ✭✭✭✭✭

    Hi @johnnyz

    You didnt share the Firewall Access rule for the Webserver.

    create the Firewall Access rule as same as below & before that create a service group and add port 80 & 443.

    Firewall Access Rule:

    Firewall NAT Rule:

    Edit the existing NAT Rule as same as below and I guess your LAN interface is X0.

    Once you done above changes try to renew your SSL and let us know.

  • johnnyzjohnnyz Newbie ✭

    yes the access rule it there just like that, has been, like I said, all has been working fine for years, until this last SonicWALL firmware update.

    And if I take off any on that #2 the websites wont come up.


  • johnnyzjohnnyz Newbie ✭

    And also like I Said, I found a work around and not sure if this adds anything towards troubleshooting the issue.

    I can get Lets Encrypt to work every time while I am downloading files. For example I will start 3, 2GB files downloading and then run the Lets Encrypt test and script and it will work and pass every time, so what the heck is that all about?

  • TKWITSTKWITS Community Legend ✭✭✭✭✭

    At this point your best option is to open a ticket with support. We are only community members providing the best help we can, we are not Sonicwall.

  • johnnyzjohnnyz Newbie ✭
    edited December 2021

    its not still under warranty so SonicWALL wont help me at all.

  • AjishlalAjishlal Community Legend ✭✭✭✭✭

    Either its not communicating properly to the Server since you are not specified the ports in Firewall (ACL & NAT). So recommended to create proper NAT & Firewall Rule for the webserver.

  • johnnyzjohnnyz Newbie ✭

    Not sure what you need from me. as far as I know all rules and ports are right. Like I said this has been working right for many years. this just started 8 months ago and the only thing that change on my end was a SonicWALL firmware update.


  • LarryLarry All-Knowing Sage ✭✭✭✭

    You have said, repeatedly,

    this just started 8 months ago and the only thing that change on my end was a SonicWALL firmware update.

    So why - in all this time - haven't you reverted to the previous version to test your suspicion?


  • johnnyzjohnnyz Newbie ✭
    edited December 2021

    I was told its not a good idea to go back to an old firmware version and there could be issues. I don't want to bring down out entire business.

  • AjishlalAjishlal Community Legend ✭✭✭✭✭

    Create the NAT rule as same as below and try. Choose the service group as "Linux WebServer 10.0.0.18"


  • johnnyzjohnnyz Newbie ✭

    I did what you sad and same thing, no change.


  • prestonpreston Enthusiast ✭✭
    edited December 2021

    @johnnyz, your rule 3 (incoming NAT) should be as below

    Source Original = ANY,

    Translated Source = Original,

    Destination Original = Public IP (70.167.119.118)

    Destination Translated = Private IP (10.0.0.18)

    Original Service = Service Group (Linux Web Server 10.0.0.18)

    Translated Service = Original


    Also disable the loopback NAT policy if not used (Rule 1)

  • johnnyzjohnnyz Newbie ✭

    Very weird. when I add my server group "like you said above" websites wont come up.


  • AjishlalAjishlal Community Legend ✭✭✭✭✭

    I informed you to update two NAT rule and you did only one. Update the Rule as per below;

    I assume X0 is your LAN interface where you connected the Webserver.

  • johnnyzjohnnyz Newbie ✭

    I cant do any of that. as soon as I change the setting I cant get to the websites.

  • johnnyzjohnnyz Newbie ✭

    and yes X0 would be the LAN

  • johnnyzjohnnyz Newbie ✭

    I have 8 IP's

  • prestonpreston Enthusiast ✭✭

    @johnnyz you really need to raise a support request with SW for this,

    Also if you have 8 IP addresses on your Primary WAN connection and the server is a web server why don't you just use L3 splice (Transparent mode) no NAT involved then just a firewall rule needed, you will need to put the server on it's own interface and give the server the Public IP details rather than the LAN IP details it currently uses.

    https://www.sonicwall.com/support/knowledge-base/configuring-interfaces-in-transparent-ip-mode-splice-l3-subnet/190315113832572/

  • johnnyzjohnnyz Newbie ✭

    Not sure if or how to do that. the web server is on a VM server with other servers?

  • prestonpreston Enthusiast ✭✭

    @johnnyz you would be best raising a Support request,

    to do the L3 Splice would involve your virtual switch on the VM and putting the webserver in its own VLAN, then via a L2 managed switch assigning that to a port untagged then from there in to a free Interface on the SonicWall which would be set as per the document with your desired WAN IP to use.

  • johnnyzjohnnyz Newbie ✭

    Ok, I figure that would be how to do that. I think I will give that a try after the holidays.

    Thanks John

Sign In or Register to comment.