Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Replies 3 replies
  • Answers 1 answer
  • Subscribers 41 subscribers
  • Views 701 views
  • Users 0 members are here
Options
Suggested

v21 Let's Encrypt Cert creation and renewal fails, whan NAT Rule for HTTP/HTTPS exists

PCPCH

On one of our XGS-firewalls, we need a NAT rule for HTTP/HTTPS. On this firewall, it's not possible to create or renewal a Let's Encrypt Cert. 

We need to disable the NAT rule, then it works to create/renewal the certificate.

But this can't be the solution, so we have to disable this rule manually all 60 days for a night.

Sophos should fix this: the cert-creation/renewal should have the priority before the NAT rule for HTTP/HTTPS.



Added TAGs
[edited by: Raphael Alganes at 10:13 AM (GMT -8) on 4 Dec 2024]
Parents
  • 0

    We cant fix this and UTM had the same issue. 

    We are not going to disable legit NAT Rules for HTTP for customers - "just to renew the cert". 
    WAF is always behind the NAT Rules, as NAT takes priorities here. 
    Maybe you could generate a WAF Rule for HTTP ? 

    As LE does not tell, what IPs they are using, it is impossible to perform a renewal here. 

    BTW: You only need HTTP for LE - So maybe you do not need the HTTP NAT Rule (as HTTP could be considered to be "insecure" in the first place. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

      In the documentation the certificate request is descibed as following:
    "The Let's Encrypt CA must communicate with the firewall to validate the CSR. For this communication, the firewall temporarily creates a WAF rule. After the CA validates the CSR, the firewall deletes the rule."


    For LE certificates the requesting webserver must be reachable via HTTP in the verification process.
    Is it possibe, that this could be an issue if I already have a WAF rule for the LE certificate active where "Redirect HTTP" is ticked or is that temporary WAF rule forced to be "first" or "only" served?

    "Only" because of this: "During the Let's Encrypt CA validation period for any CSR, the web applications protected by WAF rules will be unavailable through the firewall."

    Regards,

    Kevin

    Sophos CE/CA (XG, UTM, Central Endpoint)
    Gold Partner

  • 0 in reply to kerobra

    So essentially, if you have multiple WAF Rules, it does not matter. The WAF Rules are there to redirect the request to the WAF Service, which takes over the LE renewal. 

    __________________________________________________________________________________________________________________

Reply Children
No Data
Unfiltered HTML