Overview
Users have reported the LetsEncrypt certificates are failing to renew in very specific configurations, with the error Failed to issue LetsEncrypt certificate.
Pre-conditions
- Kerio Control Firewall 9.5.0 or later sitting in front or Kerio Connect
Solution
This behavior is not a defect in Kerio Connect or Kerio Control but an issue with the security feature interfering with the renewal process. Temporarily disabling Shield Matrix - KerioControl during the renewal process resolves the issue.
-
Check Shield Matrix Status:
- Access the Kerio Control administration interface.
- Navigate to the Shield Matrix configuration settings.
-
Disable Shield Matrix Temporarily:
- Temporarily disable the Shield Matrix feature to allow Let's Encrypt to access the necessary endpoints.
-
Renew Let's Encrypt Certificate:
- Attempt to renew the Let's Encrypt certificate on the Kerio Connect server.
-
Re-enable Shield Matrix:
- Once the certificate renewal is successful, re-enable the Shield Matrix feature to maintain security.
Frequently Asked Questions
- Q1: How do I know if Shield Matrix is causing the issue?
- A1: If you are using Kerio Control and experiencing Let's Encrypt renewal failures, check if Shield Matrix is enabled. Temporarily disabling it can help determine if it's the cause.
- Q2: What should I do if the renewal still fails after disabling Shield Matrix?
- A2: Ensure that all network and DNS configurations are correct, and there are no other security features blocking the renewal process. If issues persist, contact support for further assistance.
- Q3: Can I keep Shield Matrix disabled permanently?
- A3: It is not recommended to keep Shield Matrix disabled permanently as it is a security feature. Only disable it temporarily for the renewal process and re-enable it afterward.
Ciprian Nastase
Comments