Let's encrypt on WAF and internal Servers

Question

Hi Folks, 
 
 just for information, I'm using UTM 9.5 with let#s encrpyt and WAF for several times now using the scripts and manual found here. 
 Now that it will be natively supported in 9.6 there are some things which I'm worried ybout. 
 
 I only have one external IP-Adress 
 I'm using certificates on WAF for external access 
 I'm using certificates directly on my internal webservers with internal DNS resolution to the external use 
 I have several site-path-rules to get an acme challenge acceptance 
 everything works fine with the current configuration 
 
 As I saw that I have to bind Let's encrypt to an interface with Port 80. As I remeber this would be exclusive available for acme challenge and I cannot use Port 80 as virtual Server under WAF. So As I think I cannot use Let's encrypt on the internatl servers to do the acme challenge as I cannot forward the http request to these servers. 
 
 Can you confirm my thoughts about the problems I could face. 
 
 Thanks 
 Carsten

Carsten Schild · Answer

all4it said: 
 ... 
 What did you end up doing?

Well as ewadie told me that Port 80 will only used for a short amount of time during the challenge check I'm using different certificates on my webservers and on my UTM. 
 
 On the webservers the certificates are generated through some automation scripts I found throughout the internet. 
 As I'm using WAF for all my servers behind my sophos there is a site-path route on port 80 for the acme challenge to the servers. 
 My UTM creates the certificates for the WAF virtual servers native, configured over WebAdmin. 
 
 In my opinion there seems to be no problem, as all servers use https and http is only used for acme challenge. 
 As the local Web Server certificates are asyncron genereated to the UTM there should not be any overlapping in renewing.

apijnappels · Answer

You can request a LE certificate from the UTM with ALL your certificates in it and then configure that LE certificate for all your virtual hosts. That way there's no need for LE's servers to directly access your webservers behind UTM.

ewadie · Answer

Carsten Schild said: As I saw that I have to bind Let's encrypt to an interface with Port 80. As I remeber this would be exclusive available for acme challenge and I cannot use Port 80 as virtual Server under WAF. 
 Port 80 is still available even if you enable Let's Encrypt. It's just used for the few seconds that it takes to request or renew a certificate.