[HOWTO] Let's Encrypt

Hi all,

I have got a fully working Let's Encrypt setup for multiple domains of my Web Application Firewall on my Sophos UTM 9.4!

On github I have made a manual on how to set it up on your UTM as well. Currently it has a few manual steps to set it up, but I might script this in the future as well.


Comments, questions and improvements are welcome! And please leave a message if you have got it working as well.

Have fun!


  • Has anyone tried this on SFOS 16.05, or is this strictly a UTM v9.x solution?

  • I have spend many hours in this. First i would use a wildcard, but i noticed its not (yet) supported. 


    So, first i will use only the cert for "sub.domain.de".

    If i edit the domain config in my case to "ACL=('ssh:administrator@sub.domain.de:/var/www/html/.well-known/acme-challenge')"

    the script would connect to the public ip instead of the webserver behind the WAF.

    The same with the "ssh-copy-id <user>@<server>"

    so i have to use the "intern" IP of the webserver behind the WAF -> ssh-copy-id administrator@192....

    It is possible to use for the ACL= the IP? If i use the ip in the ACL, i get an error: getssl: problem copying file to the server using scp.
            scp /root/.getssl/sub.domain.de/tmp/... administrator@192....:/var/www/html/.well-known/acme-challenge/...

    With "ssh -i /root/ssh_key_file administrator@192...." i can connect to the webserver behind the WAF.


  • Hi,


    I am using the UTM at home and I would like to use it as reverse proxy.

    One of my server is a windows server. I am currently using Let's encrypt to have a certificate on it.

    I am blocked at ACL=('ssh:<user>@<server>:/var/www/.well-known/acme-challenge')

    Is it possible to store the file directly on the utm ?





  • Any way to get this updated to work with ACMEv2 and wildcard support?

  • In reply to J.Rivett:

    i switched to a linux box (docker) with dehydrated and upload certs via ssh. Also pushing those certs to other appliances (like paloalto)

    i am working on a manual, but it allready supports wildcard certs (via dehydrated)

  • I am trying to configure a LE certificate for users accessing the SPX portal on my Sophos UTM.  I get all the way through until running:

    ./getssl -f mail.mydomain.com

    it throws this error:

    getssl: for some reason could not reach http://mail.mydomain.com/.well-known/acme-challenge/7P8w_HOkOma04fhq734h5ykukwjkhkj8

    If I open it in a browser it says connection refused.  How can I resolve this please?

    Silly question: mail.mydomain.com points to the Sophos UTM - should it be looking at a different web server for the challenge?

  • Silly question, I read that installing let's encrypt cert won't work for https decrypt/encrypt in web protection 

  • In reply to Wadood:

    That is true. 

    You cannot use a public signed CA for SSL decryption. 

    It would break the TLS/SSL Security technology. 

  • In reply to LuCar Toni:

    So the alternative would be what?

  • In reply to LuCar Toni:

    I know that your comment that "it would break the TLS/SSL Security technology" is true, MBP, but I never asked why.  Can you expand on why this is the case?

    Cheers - Bob

  • In reply to Wadood:


    So the alternative would be what?


    Install the UTM-generated SSL certificate into your systems.  Like this: https://community.sophos.com/kb/en-us/115315#How%20to%20deploy%20the%20Proxy%20CA - note that using the Active Directory deployment method doesn't cover Firefox because years ago Firefox divorced it's certificate management from Windows and there is no "easy" way to deploy that certificate on a mass scale - unless someone has access to GPO templates that include the Firefox certificate store since the last time I looked for some.

    The steps in that article are a bit light on how to do that AD import, but this article for their web gateway applies https://community.sophos.com/kb/en-us/42153#GPMC - just use the cert you download from the AD step in the previous article in step 8 from this link to the "Installing the CA with Group Policy Using the Group Policy Management Console (GPMC)" procedure.

  • In reply to BAlfson:

    Simple - You are performaning a Man-in-the-middle attack. 

    The Browser wants to warn the user, so he shows the user, this certificate is untrusted. 

    Why is it untrusted? XG/UTM gives the client a Certificate for, lets say, google.com

    So the Browser shows the user, something is wrong with the certificate of this page and tries to warn the user.

    You can workaround this and give the browser the root ca of XG/UTM and the browser knows, this will happen and does not show any alert.

    What happens, if you could use a public signed certificate for this? You would have a "trusted" CA, which could create a certificate for google and all clients on earth would trust it. 

    So basically you could go to a hub and perform a man in the middle attack without any user notice and you could read the whole encrypted traffic. 

    At this point, we can stop doing TLS at all. 

    For sure, i understand the need of "don´t push any CA to the clients". It would be lovely to perform HTTPS decryption for your Guest network. Many schools asks for this to have more security over their network of the students. 

    Hope this helps. 

  • In reply to Chris Shipley:

    Thanks for your reply

    I am aware of and done this many times, my problem is when we don't have AD or we need to filter and inspect employees' mobile traffic or guest traffic or any place that have public access like Cafe , hotels ...etc.

    You can for example prevent p2p on computers but not on mobiles if they used psiphon for example (which btw cannot be blocked if you didn't implement https decryption)

    That's why I asked what is the alternative in these situations ?

  • In reply to Wadood:

    Ahh, yes.  I give multiple networks in these cases.  So I protect my AD-enabled systems the way I described.  The systems I cannot install these certificates on (you can install on mobile, but in a BYOD situation, maybe untenable) I give them a separate network to connect to.  This has different firewall rules that allow traffic out only to some approved categories/destinations and obeys any exceptions I've built, but denies others.  It's a "Guest" type network.

    When you talk about open wifi hotels and cafes, your UTM isn't in the mix so that solution isn't applicable to roaming laptops.  For those you use something like Sophos Endpoint which has a web and application control in it, so the rules are deployed to the device itself.  Sophos MDM as well for company-owned mobile devices.  Sophos MDM can help you deploy the certificate from the UTM to those devices as well.