Overview
If you are using Kerio Connect's integrated LetsEncrypt certificate utility and trying to generate an SSL certificate or renew it, you may encounter the following error message:
Operation failed, internal error: Failed to issue Let's Encrypt certificate: Failure contacting https://acme-v02.api.letsencrypt.org/directory;rel=index to read header
This problem is due to changes made by Let's Encrypt, which required code changes in Kerio Connect.
Solution
The issue was reported to the Development team, who have swiftly done the necessary changes at code level. Therefore, in order to to resolve this issue, you need to manually upgrade your Kerio Connect Server to the production-quality beta build number 8310.
Note: Users who have installed 8197 build should update to the newer version, that fixes additional issues.
This version can be downloaded from the above Google Drive URL. After upgrading, the Let's Encrypt certificate renewals should work as expected.
The fix for this issue will also be included in the upcoming generally available Kerio Connect version, and this article will be updated accordingly once the final version is published.
NOTE: following this behavior, and even after applying the above hotfix, you may see this error:
Error creating new order :: too many certificates (5) already issued for this exact set of domains in the last 168 hours: mail.domain.com, retry after 2024-06-25T19:58:44Z: see https://letsencrypt.org/docs/duplicate-certificate-limit/
This is because each renewal attempt (even failed ones) is counted against the LetsEncrypt rate limit. If you are facing this error, the only thing to be done is to wait until after the time specified in the error before trying to renew/issue a new certificate.
Summary
Upgrading Kerio Connect to the latest version that includes the necessary code changes to accommodate Let's Encrypt's modifications should resolve the issue with issuing Let's Encrypt certificates. After the upgrade, certificate renewals should proceed without any issues.
FAQ
Q: What caused this issue?
A: This issue was caused by changes made by Let's Encrypt, which required code changes in Kerio Connect.
Q: I am not comfortable updating to a beta version, what should I do?
A: The above-mentioned beta version is of production quality, meaning it underwent additional verifications and testing before being shared as a hotfix.
Q: How can I resolve this issue?
A: You can resolve this issue by manually upgrading your Kerio Connect Server to the version that contains the necessary fix.
Q: After the upgrade, I am getting a rate limit error, how can I solve that?
A: Given the nature of the issue, you need to wait until after the time specified in the error message to renew/issue a new certificate.