Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
Options
Suggested

LetsEncrypt on v21, can't listen on multiple WANs

DraugTheWhopper

We've been dabbling with the new LetsEncrypt on v21, and so far it's been working pretty well. However, in several cases, we have sites that have dual WAN, and we want to host a WAF, port forward, or even just the VPN portal on both WANs with the same FQDN. Typically we do this by deploying two A records for the same FQDN, aka "poor mans load balancing." However, the builtin LetsEncrypt client can only listen on one WAN interface at a time, while LetsEncrypt wants to validate *all* A records. So, validation will either pick the "wrong" WAN and fail immediately, or pick the "correct" WAN and fail during the additional validation.

Any suggestions for workarounds? I tried a NAT rule, but I really don't think it can apply correctly in this case. My guess is that the best solution is to have the builtin LetsEncrypt client listen on multiple WAN interfaces simultaneously, but of course we're at the mercy of what's baked into v21.

On a related note, it would be great to see more options for the builtin LetsEncrypt client, like DNS validation. You might even be able to delegate the "_acme-challenge" DNS zone to a zone file hosted on the Sophos itself...



Edited TAGs
[edited by: Erick Jan at 3:21 AM (GMT -8) on 30 Jan 2025]
  • 0

    We are aware about LE DNS method, but at this point, it is adapted for SFOS like in UTM.

    Do you have a WAF Service for all WAN Interfaces? So a WAF Firewall Rule for all the WAN Interfaces? 

    __________________________________________________________________________________________________________________

    • 0 in reply to LuCar Toni

      At least on my test box, I have no WAF rules accepting connections on port 80.

      I did briefly consider that maybe I could use a WAF to forward port 80 from the secondary WAN to the primary WAN, but some quick testing showed it didn't seem to work. I was thinking that my manual WAF would listen on multiple or just one interface, and the custom WAF for LE would sit at the top, listening only on the designated interface. But of course, I didn't really expect that one WAF could chain into another WAF.

      It's possible that I did something wrong, so if there's actually a way to do that, I'd love to hear about it.

      • 0 in reply to DraugTheWhopper

        I don't think you will get it wroking like that.

        On the other hand, I'd love to select on which (WAN)-port the LE service is listening.

        Mit freundlichem Gruß, best regards from Germany,

        Philipp Rusch

        New Vision GmbH, Germany
        Sophos Silver-Partner

        If a post solves your question please use the 'Verify Answer' button.

    • +1

      I guess the consensus is "no, it's not an option right now."

      Unfiltered HTML