General Discussion letsencrypt (dehydrated) integration in UTM 9.6

UTM Firewall requires membership for participation - click to join

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

letsencrypt (dehydrated) integration in UTM 9.6

OlafL over 5 years ago

I am using a test machine to try the new feature of using a letsencrypt certificate.

It works perfectly fine, I was just wondering which email address was used for the letsencrypt account, which I was unable to find.

I found out that Sophos is using the dehydrated client and the files are in

/var/chroot-reverseproxy/usr/dehydrated/

which points to the account config to be stored in

/var/storage/chroot-reverseproxy/var/lib/dehydrated/

but there is just one ".rnd" file in this directory.

btw the corresponding crontab entry is

/etc/crontab.letsencrypt-renewal

and the logfiles are at

/var/log/letsencrypt/

So I thought I make up this thread to discuss the way dehydrated is integrated in UTM 9.6

Cheers,

Olaf

This thread was automatically locked due to age.

Parents

Jay Jay over 5 years ago

Doesn't looks like files in /var/storage/chroot-reverseproxy/usr/dehydrated/conf don't reference an email either.

Also, as an aside, not all isp's allow inbound port 80/443. This of course is required for the LE challenge to be performed. In my case I do have ability to have port 80/443 inbound open but chose not to.

Instead, I use the dns-01 challenge with dehydrated using this hooks addon - https://github.com/kappataumu/letsencrypt-cloudflare-hook . This particular one is for cloudflare. It uses your cloudflare api key to update the txt record during the challenge.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

Jay Jay over 5 years ago

Doesn't looks like files in /var/storage/chroot-reverseproxy/usr/dehydrated/conf don't reference an email either.

Also, as an aside, not all isp's allow inbound port 80/443. This of course is required for the LE challenge to be performed. In my case I do have ability to have port 80/443 inbound open but chose not to.

Instead, I use the dns-01 challenge with dehydrated using this hooks addon - https://github.com/kappataumu/letsencrypt-cloudflare-hook . This particular one is for cloudflare. It uses your cloudflare api key to update the txt record during the challenge.
Cancel
Vote Up 0 Vote Down

Cancel

Children

Adrian Green over 5 years ago in reply to Jay Jay

Also check out 'lexicon' https://github.com/AnalogJ/lexicon "Manipulate DNS records on various DNS providers in a standardized/agnostic way."

You plug in your API keys for the DNS provider you are targeting (eg cloudflare) and use the provided hook script with dehydrated. Lexicon then automates the DNS-01 part. Over 50 DNS providers currently supported. I'm hoping this package is implemented into UTM 9.6+ as wildcard certificates are easily possible without any modifications to the code.

Simple usage example: https://blog.thesparktree.com/generating-intranet-and-private-network-ssl
Cancel
Vote Up 0 Vote Down

Cancel