Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Replies 1 reply
  • Answers 1 answer
  • Subscribers 40 subscribers
  • Views 60 views
  • Users 0 members are here
Options
Suggested

v21 Let's Encrypt Cert creation and renewal fails, whan NAT Rule for HTTP/HTTPS exists

PCPCH

On one of our XGS-firewalls, we need a NAT rule for HTTP/HTTPS. On this firewall, it's not possible to create or renewal a Let's Encrypt Cert. 

We need to disable the NAT rule, then it works to create/renewal the certificate.

But this can't be the solution, so we have to disable this rule manually all 60 days for a night.

Sophos should fix this: the cert-creation/renewal should have the priority before the NAT rule for HTTP/HTTPS.



Added TAGs
[edited by: Raphael Alganes at 10:13 AM (GMT -8) on 4 Dec 2024]
  • 0

    We cant fix this and UTM had the same issue. 

    We are not going to disable legit NAT Rules for HTTP for customers - "just to renew the cert". 
    WAF is always behind the NAT Rules, as NAT takes priorities here. 
    Maybe you could generate a WAF Rule for HTTP ? 

    As LE does not tell, what IPs they are using, it is impossible to perform a renewal here. 

    BTW: You only need HTTP for LE - So maybe you do not need the HTTP NAT Rule (as HTTP could be considered to be "insecure" in the first place. 

    __________________________________________________________________________________________________________________

Unfiltered HTML