Thread Info
  • Locked Locked
  • Replies 64 replies
  • Subscribers 25 subscribers
  • Views 227488 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

[HOWTO] Let's Encrypt

rklomp

Hi all,

I have got a fully working Let's Encrypt setup for multiple domains of my Web Application Firewall on my Sophos UTM 9.4!

On github I have made a manual on how to set it up on your UTM as well. Currently it has a few manual steps to set it up, but I might script this in the future as well.

https://github.com/rklomp/sophos-utm-letsencrypt

Comments, questions and improvements are welcome! And please leave a message if you have got it working as well.

Have fun!

René
[Donate]



This thread was automatically locked due to age.
Parents

  • Seems like creating a chroot to serve the various required acme challenges for your domains would be a nice addition to this. Just set a folder path for your virtual sites for the well known acme challenge requests to route to the utm real web server setup setup for that domains challenge. That way there wouldn't be any need to mess with network mounts/ssh, etc.

    Only thing I'm not sure about with such an approach though is if the web server protection module would actually be able to handle such a task.  I say this because I tried once to setup a virtual web server for the utm web admin site itself, thus allowing me to point utm.domain.com to the utm web admin site (obviously not secure Yea but that's not the point I'm making here).  The idea was to let me hit the admin site via 443 while still being able to have other sites rerouted though the utm as well.  Problem is, I noticed in the logs the redirect internally was to the local loop back address, and utm web admin settings doesn't let you allow local loop back as an allowed interface to connect to it.  Thus I suspect trying to do the same for acme challenges might run into the same challenge, so perhaps a secondary web server on an internal vm somewhere could point back to the utm address/port for serving up the response for that domain.

    Thoughts?

    EDIT:  Ahhh, DNS-01 challenges was the key.

Reply

  • Seems like creating a chroot to serve the various required acme challenges for your domains would be a nice addition to this. Just set a folder path for your virtual sites for the well known acme challenge requests to route to the utm real web server setup setup for that domains challenge. That way there wouldn't be any need to mess with network mounts/ssh, etc.

    Only thing I'm not sure about with such an approach though is if the web server protection module would actually be able to handle such a task.  I say this because I tried once to setup a virtual web server for the utm web admin site itself, thus allowing me to point utm.domain.com to the utm web admin site (obviously not secure Yea but that's not the point I'm making here).  The idea was to let me hit the admin site via 443 while still being able to have other sites rerouted though the utm as well.  Problem is, I noticed in the logs the redirect internally was to the local loop back address, and utm web admin settings doesn't let you allow local loop back as an allowed interface to connect to it.  Thus I suspect trying to do the same for acme challenges might run into the same challenge, so perhaps a secondary web server on an internal vm somewhere could point back to the utm address/port for serving up the response for that domain.

    Thoughts?

    EDIT:  Ahhh, DNS-01 challenges was the key.

Children
No Data
Unfiltered HTML