Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Let´s Encrypt Deep Dive & Debugging in SFOSv21.0

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.


Overview

This recommended Read describes information about Let's Encrypt and troubleshooting.

Online help:

docs.sophos.com/.../index.html

Release Notes: 

Let’s Encrypt Certificate Support – A long-requested feature, Let's Encrypt certificate support enables the automatic deployment and renewal of certificates based on certificate signing requests (CSRs). Let’s Encrypt certificates are supported for WAF, SMTP, TLS configuration, hotspot sign-in, the web Admin console, user portal, captive portal, VPN portal, and SPX portal.

Recap of LE: 

For example, you can start a new LE certificate for the domain: "test.domain.com". You need to be the owner of this domain. You need to be able to edit the DNS Record as well. "test.domain.com" needs to point to the firewall (WAN) interface. 
The firewall will try to request the certificate for "test.domain.com," and LE will reach out to the configured DNS. If this works, you will get a valid certificate, which you can use. The firewall will automatically refresh the certificate if needed, and there is no user interaction required. 

Licensing: 

SFOS does not require a subscription for LE. A base License is sufficient. SFOS Home is also included. 

Notes and FAQ:

SFOSv21.0 LE is similar to the implementation from Sophos UTM9. 
SFOSv21.0 LE uses the HTTP Challengehttps://letsencrypt.org/docs/challenge-types/  Hence, Wildcard isn’t supported. 
SFOSv21.0 LE certificates can't be downloaded. You must look into a DNS Challenge like Lego or Certbot. The certificates are only usable on the Firewall. 

How does LE in v21.0 work: 

Kindly read the LE documentation first: https://letsencrypt.org/how-it-works/ 
SFOS will perform the following steps: 

  1. Admin register the Domain in SFOS
  2. If you create an LE certificate and/or it needs to be renewed (every 90 days), SFOS will create a WAF Rule on top of the Rule set for Port80.
  3. To create a certificate, you must have a domain (FQDN). This FQDN will be added to the CSR. 
  4. SFOS will reach out to LE and register the used FQDN
  5. LE will try to challenge the WAF from the internet from an unknown IP via HTTP (Port80). It’ll try the used FQDN and expect the WAF to be reachable on this FQDN. 
  6. If LE can reach the WAF on Port 80 and see the correct token, it approves the Firewall as the domain's owner and grants the "certificate." 
  7. SFOS will remove the WAF rule after approval. 

Common issues and troubleshooting: 

Let's Encrypt offers a Login on the firewall. You can access it via CLI or download the log via Diagnostic. 
Also, errors are shown before the Certificate via Mouse Over, indicating the next steps. 

  • Check via external DNS. Make sure that your domain (FQDN) is resolved to your firewall or the router in front of it. 
  • Try connecting to the internet from a client reaching the firewall on port 80 and seeing if you see those packets in the firewall's packet capture (Webadmin). If you can't see them, the router or something in front of the firewall is likely already blocking them or not forwarding them.
  • Review your NAT policy - Every NAT policy based on HTTP(80) from WAN to LAN will fetch the LE requests and destroy the challenge. 
  • Check the logs of the firewall (Download them via webadmin) - Interesting are reverseproxy.log (WAF) and letsencrypt.log (LE) 
  • Check for country blocking as well - LE uses unknown IPs so that a device can block them in front of SFOS. 
  • Check your Firewalls Time (NTP) Settings to avoid issues with Time.



Edited TAGs and Revamped RR
[edited by: Erick Jan at 8:14 AM (GMT -8) on 7 Nov 2024]
Parents
  • I cannot register Let's Encrypt certificates on our main firewall. It always ends with an error.

    letsencrypt.log:

    Nov 19 14:33:53Z letsencrypt: starting parsing stdout
    Nov 19 14:33:53Z letsencrypt: finished parsing stdout
    Nov 19 14:33:53Z letsencrypt: starting parsing stderr
    Nov 19 14:33:53Z letsencrypt: SOME ERROR HAPPENED
    Nov 19 14:33:53Z letsencrypt: domain name: gw-rz.wohnbau-wml.de
    Nov 19 14:33:53Z letsencrypt: finished parsing stderr
    Nov 20 11:23:56Z letsencrypt: Dehydrated renew_certificates std. out:
    Nov 20 11:23:56Z letsencrypt: # INFO: Using main config file /etc/dehydrated/config
    Nov 20 11:23:56Z letsencrypt: Dehydrated renew_certificates std. error:
    Nov 20 11:23:56Z letsencrypt: ERROR: Problem connecting to server (get for acme-v02.api...../directory; curl returned with 6)
    EXPECTED value GOT EOF

  • Did you double check the points above? 

    __________________________________________________________________________________________________________________

    1. Yes. There is no NAT or WAF rule on port 80. DNS lookup is wording and I could also see the packets in the capture. I habe also checked NTP and country blocking.
Reply Children