Let's encrypt on WAF and internal Servers

Hi Folks,

 

just for information, I'm using UTM 9.5 with let#s encrpyt and WAF for several times now using the scripts and manual found here.

Now that it will be natively supported in 9.6 there are some things which I'm worried ybout.

  • I only have one external IP-Adress
  • I'm using certificates on WAF for external access
  • I'm using certificates directly on my internal webservers with internal DNS resolution to the external use
  • I have several site-path-rules to get an acme challenge acceptance
  • everything works fine with the current configuration

As I saw that I have to bind Let's encrypt to an interface with Port 80. As I remeber this would be exclusive available for acme challenge and I cannot use Port 80 as virtual Server under WAF.
So As I think I cannot use Let's encrypt on the internatl servers to do the acme challenge as I cannot forward the http request to these servers.

 

Can you confirm my thoughts about the problems I could face.

 

Thanks

Carsten

  • You can request a LE certificate from the UTM with ALL your certificates in it and then configure that LE certificate for all your virtual hosts. That way there's no need for LE's servers to directly access your webservers behind UTM.

  • In reply to apijnappels:

    I know that I can use utm for all my internal servers.

    But I want my internal servers be available internal with their external adresses. So I don't need to contact WAF internal. An for this I need my internat servers to have a ssl certificate as well. For this I also use Let's encrypt on the servers internaly.

    Due to this I need my internal servers to get the acme challenge as well, which means I need port 80 to be distributed to internal servers and not only the utm to answer.

     

    Bye

    Carsten

  • Carsten Schild
    As I saw that I have to bind Let's encrypt to an interface with Port 80. As I remeber this would be exclusive available for acme challenge and I cannot use Port 80 as virtual Server under WAF.

    Port 80 is still available even if you enable Let's Encrypt. It's just used for the few seconds that it takes to request or renew a certificate.

  • In reply to apijnappels:

    Any support for LE DNS type challenge via api (cloudflare or other registrars)?

  • Hey Carsten,

    I got the same problem like you, did you solve this? Right now we generate the LE certs on the webservers and upload them to the WAF. We also access our internal servers directly with the plublic dns pointing to the internal IP.

    Would be nice to generate the certs on the SG an then download them to the webservers.

    What did you end up doing?

  • In reply to all4it:

    all4it

    ...

    What did you end up doing?

     
    Well as  told me that Port 80 will only used for a short amount of time during the challenge check I'm using different certificates on my webservers and on my UTM.
     
    On the webservers the certificates are generated through some automation scripts I found throughout the internet.
    As I'm using WAF for all my servers behind my sophos there is a site-path route on port 80 for the acme challenge to the servers.
    My UTM creates the certificates for the WAF virtual servers native, configured over WebAdmin.
     
    In my opinion there seems to be no problem, as all servers use https and http is only used for acme challenge.
    As the local Web Server certificates are asyncron genereated to the UTM there should not be any overlapping in renewing.
  • In reply to Carsten Schild:

    Carsten Schild
    In my opinion there seems to be no problem, as all servers use https and http is only used for acme challenge.
    As the local Web Server certificates are asyncron genereated to the UTM there should not be any overlapping in renewing.
     

     

    Wellll..... Hi Carsten... this was a very helpful and interesting hint you gave us here! Seriously, I almost couldn’t sleep at night because I wanted to find a solution for that problem. This is by far the easiest way to handle that problem. Probably to easy for us! So I checked with Letsencrypts (https://letsencrypt.org/docs/rate-limits/) and indeed it is no problem to "asynchronous" register certificates with the same name. I would have thought they would revoke the old one but they don’t. So we are testing this right now, also with a Port 80 Site path Routing like you do!

     

    Thanks again, very helpfull!!!