v21 Let's Encrypt Cert creation and renewal fails, whan NAT Rule for HTTP/HTTPS exists

Question

On one of our XGS-firewalls, we need a NAT rule for HTTP/HTTPS. On this firewall, it's not possible to create or renewal a Let's Encrypt Cert. 
 We need to disable the NAT rule, then it works to create/renewal the certificate. 
 But this can't be the solution, so we have to disable this rule manually all 60 days for a night. 
 
 Sophos should fix this: the cert-creation/renewal should have the priority before the NAT rule for HTTP/HTTPS.

LuCar Toni · Answer

We cant fix this and UTM had the same issue. 
 We are not going to disable legit NAT Rules for HTTP for customers - "just to renew the cert". WAF is always behind the NAT Rules, as NAT takes priorities here. Maybe you could generate a WAF Rule for HTTP ? 
 As LE does not tell, what IPs they are using, it is impossible to perform a renewal here. 
 BTW: You only need HTTP for LE - So maybe you do not need the HTTP NAT Rule (as HTTP could be considered to be "insecure" in the first place.

v21 Let's Encrypt Cert creation and renewal fails, whan NAT Rule for HTTP/HTTPS exists

Top Replies