Let's Encrypt Certificate Renewal Automation with DNS-01 Verification

I've setup a package on github with the goal of automating the process of keeping up to date Let's Encrypt certificates for the UTM WAF.

You can check it out here: https://github.com/kyse/letsencrypt-sophosutm-dns

There are various how-to's out there to reach this end goal that make use of reverse proxies to handle the domain verification challenges but I didn't like the idea of having to deal with file transfers between a cert update server and the UTM as this requires exposing the UTM shell via ssh keys to allow the scripts to work.

So for the purpose of the UTM operating as the termination point of SSL certs, I've set this package up to operate ON the UTM. It handles certificate renewals and updating the UTM certificates as needed. It uses DNS-01 challenges rather than HTTP-01, so you will need access to update your DNS zone's via TSIG keys.

Figure I'd make the repo public so others could benefit. Hope it helps!

Notes:

I believe doing things like (hitting up the SSH shell) this will void any warranty you may have with Sophos, so use at your own risk. I suggest you review the dehydrated, hook.sh, and utm-update-certificate.pl files yourself to ensure your not going to blow up your UTM.

This has been tested with the latest UTM 9.5 release.

I used DynDNS as the DNS provider. If your DNS provider propagates nsupdate's slowly you may need to modify the hook to not clean the DNS challenges until the next pull request once verification has succeeded. As DynDNS propagation is very quick, I haven't tested issues that might arise from failed DNS challenges. Issues could be production server limits being reached as it retries validation on the next cron job, as I'm not sure what exactly the limits applies to (ie cert issuance vs validation requests).

Make sure you stick to using the staging LE servers during your setup and testing to prevent hitting prod limits.

And because reinventing the wheel is a waste of time, a BIG thanks to the folks who have created the scripts utilized in this package: Lukas Schauer - His work on Dehydrated and the hook scripts for DNS validation. Moritz Bunkus - His work on the utm-update-certificate hook script to handle updating the UTM certificates after a renewal.

  • Hi, Jared, and welcome to the UTM Community!

    Thanks - your first post here is a great contribution, so I've pinned it to the top of this forum.

    Cheers - Bob