We'd love to hear about it! Click here to go to the product suggestion community
just for information, I'm using UTM 9.5 with let#s encrpyt and WAF for several times now using the scripts and manual found here.
Now that it will be natively supported in 9.6 there are some things which I'm worried ybout.
As I saw that I have to bind Let's encrypt to an interface with Port 80. As I remeber this would be exclusive available for acme challenge and I cannot use Port 80 as virtual Server under WAF.So As I think I cannot use Let's encrypt on the internatl servers to do the acme challenge as I cannot forward the http request to these servers.
Can you confirm my thoughts about the problems I could face.
You can request a LE certificate from the UTM with ALL your certificates in it and then configure that LE certificate for all your virtual hosts. That way there's no need for LE's servers to directly access your webservers behind UTM.
In reply to apijnappels:
I know that I can use utm for all my internal servers.
But I want my internal servers be available internal with their external adresses. So I don't need to contact WAF internal. An for this I need my internat servers to have a ssl certificate as well. For this I also use Let's encrypt on the servers internaly.
Due to this I need my internal servers to get the acme challenge as well, which means I need port 80 to be distributed to internal servers and not only the utm to answer.
Carsten SchildAs I saw that I have to bind Let's encrypt to an interface with Port 80. As I remeber this would be exclusive available for acme challenge and I cannot use Port 80 as virtual Server under WAF.
Port 80 is still available even if you enable Let's Encrypt. It's just used for the few seconds that it takes to request or renew a certificate.
Any support for LE DNS type challenge via api (cloudflare or other registrars)?
I got the same problem like you, did you solve this? Right now we generate the LE certs on the webservers and upload them to the WAF. We also access our internal servers directly with the plublic dns pointing to the internal IP.
Would be nice to generate the certs on the SG an then download them to the webservers.
What did you end up doing?
In reply to all4it:
What did you end up doing?
In reply to Carsten Schild:
In my opinion there seems to be no problem, as all servers use https and http is only used for acme challenge.
As the local Web Server certificates are asyncron genereated to the UTM there should not be any overlapping in renewing.
Wellll..... Hi Carsten... this was a very helpful and interesting hint you gave us here! Seriously, I almost couldn’t sleep at night because I wanted to find a solution for that problem. This is by far the easiest way to handle that problem. Probably to easy for us! So I checked with Letsencrypts (https://letsencrypt.org/docs/rate-limits/) and indeed it is no problem to "asynchronous" register certificates with the same name. I would have thought they would revoke the old one but they don’t. So we are testing this right now, also with a Port 80 Site path Routing like you do!
Thanks again, very helpfull!!!