[HOWTO] Let's Encrypt

Hi all,

I have got a fully working Let's Encrypt setup for multiple domains of my Web Application Firewall on my Sophos UTM 9.4!

On github I have made a manual on how to set it up on your UTM as well. Currently it has a few manual steps to set it up, but I might script this in the future as well.

https://github.com/rklomp/sophos-utm-letsencrypt

Comments, questions and improvements are welcome! And please leave a message if you have got it working as well.

Have fun!

René
[Donate]

  • In reply to rklomp:

    Great!

    Thanks for the quick reply. 

    I will give it a try later!

  • Hi René

    Thx a lot for your work. In the past I used StartSSL SAN Certificates which I wanted/had to replace with let's encrypt certificates. 

    However when I first found your Script they didn't work out for me as I use the UTM with a Home License in a very small Lab environment with several vhosts with different hostnames which all point to one single linux server in my internal network. This made the verifying thing kind of complicated (at least for me) and using DNS Challenge was not really an option because my Hurricane Electrics DNS Setup was not capable to add and delete the needed DNS Entries (at least for me :)).

    So I went on and moved all my DNS entries to an other DNS provider which supports API and I used your script again with DNS-01 challenge and DNS hook scripts which worked flawlessly from scratch. 

    Thx a lot for sharing your script!

    Regards,

    Doemer

  • Please forgive my lack of knowledge. I'm not sure of the syntax to find the certificate I want to replace. I can't get the certificate Reference using cc.

    Please can anyone help???

  • In reply to instinct twok:

    Hello,

    What host/domain must I used when ?

    utm-router hostname utm.Mydomain.de

    virutal Webserver hostname mydomain.de

     

     

  • In reply to joerg nissen:

    use the hostname of the firewall, with a SAN of the domain as you listed it.  Or the other way around.  As long as both are listed you are fine.

  • In reply to Dominik Brenn:

    Doemer,

     

    If you do not mind sharing can you please let me know what DNS provider you moved to. I am currently using HE for DNS and would like to move some of my SSL based sites back behind the WAF if I could get LetsEncrypt working on my UTM.

     

    TIA

    Ron

  • So the only part about those instructions that I'm confused about is the :

     

    Set ACL; The directory where to copy acme challenge file to. This should be the server that is serving the yourdomain.com webpages. Also create the folder on the server and test if http://yourdomain.com/.well-known/acme-challenge/ is reachable and if you can ssh from the UTM to the server. Maybe you need to add a firewall rulle to allow traffic.

    ACL=('ssh:<user>@<server>:/var/www/.well-known/acme-challenge')

     

    How did you set this path for your firewall directly on the UTM?

     

    I should clarify, I'm not hosting any other websites, I just want this to secure my firewall itself (gateway.mydomain.net)

  • Hi, I just had a quick noob question.

    is the purpose of copying the ACME challenge to ./well-known/acme-challenge supposed to be used to make the cert renewal on my ubuntu server work?

     

    I will need to update the cert on both the UTM and my webserver if I'm not mistaken and I'm ignorant to if running the renew on two separate hosts will create two different certs, which will make this not work if I'm not mistaken.

     

    Please forgive any weird logic I'm having as I'm new to this and self-learning.

  • For some reason certbot does not wanna work for me so I'm just going to modify the script to scp the .key and .crt files directly to my ubuntu server's cert directory.

  • In reply to SoulDragon:

    SoulDragon

    For some reason certbot does not wanna work for me so I'm just going to modify the script to scp the .key and .crt files directly to my ubuntu server's cert directory.

     

     
    In UTM I created a virtual websever for https and used the certificate to pass the domain to the real webserver. The certificate is not required on the ubuntu server. Some ISP tools however may require a certificate to work with, but that can be a self signed one. UTM will pass the domain name to the ubuntu server, but keeps the certificate active.
  • In reply to Hans Gooijen:

    i made a script that utilizes dehydrated + dns challenge for getting the certs via a linux box (i use a docker instance), this one connects via ssh puts the files on the sophos and cleans up after itself, so no need to install or modifiy anything on the sophos really.

    https://github.com/Optic00/utm_le_updater

    its pretty much hack'n'slay put together but works fine so far, you'll need some basic knowledge on linux and i can't provide support, but its fully automated and doesn't require a running webserver due to dns (you need a dns service with API, i use cloudflare) 

  • how to get the cc command working, am I correct in typing the cc in the utm terminal? I always get bash: cc: command not found?

    Also is it possible to use a letsencrypt certificate for the utm itself, for the userinterface?

  • In reply to mad1993max:

    Max, you must be logged in as root.

    Cheers - Bob

  • Alone among the logs, the Firewall Live Log presents abbreviated information in a format easier to read quickly.  Usually, you can't troubleshoot without looking at the corresponding line from the full Firewall log file.  Please post the line corresponding to that above.

    Cheers - Bob

  • Seems like creating a chroot to serve the various required acme challenges for your domains would be a nice addition to this. Just set a folder path for your virtual sites for the well known acme challenge requests to route to the utm real web server setup setup for that domains challenge. That way there wouldn't be any need to mess with network mounts/ssh, etc.

    Only thing I'm not sure about with such an approach though is if the web server protection module would actually be able to handle such a task.  I say this because I tried once to setup a virtual web server for the utm web admin site itself, thus allowing me to point utm.domain.com to the utm web admin site (obviously not secure Yea but that's not the point I'm making here).  The idea was to let me hit the admin site via 443 while still being able to have other sites rerouted though the utm as well.  Problem is, I noticed in the logs the redirect internally was to the local loop back address, and utm web admin settings doesn't let you allow local loop back as an allowed interface to connect to it.  Thus I suspect trying to do the same for acme challenges might run into the same challenge, so perhaps a secondary web server on an internal vm somewhere could point back to the utm address/port for serving up the response for that domain.

    Thoughts?

    EDIT:  Ahhh, DNS-01 challenges was the key.