Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 7 subscribers
  • Views 1226 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos UTM blocking access to acme-challenge

HGA

I am using Sophos UTM and need a certificate for openssl. Therefore I tried to install Certify the Web.
For the mail server I using a sophos certificate and the `Exchange Server Webservices` Firewall-Profile!
If I try to access to a file inside the inetpub\wwwroot\.well-known\acme-challenge via internet, I got the error-message

Access to the requested URL was blocked!

I guess this is not a normal access to the exchange server and therefore blocked!

Is there any solution to get it working?



This thread was automatically locked due to age.
  • 0

    The solution depends on what is being blocked.
    It may be that a "direct call" to the URL is not permitted (url hardening) ... then the URL must be entered as an "entry URL".
    Or an anomaly is detected...then it needs an exception.

    Please check the WAF-log


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • 0 in reply to dirkkotte

    That what I found!

    sophos httpd: id="0299" srcip="172.68.110.170" localip="10.0.10.2" size="199" user="-" host="172.68.110.170" method="GET" statuscode="403" reason="-" extra="-" exceptions="-" time="224" url="/.well-known/acme-challenge
  • 0 in reply to HGA

    Feel free to send some more log-lines around this part per PM.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • 0

    Have you thought about using dns challenge instead of http(s)?  I use dns challenge on all my servers given it's easier to implement than having to open ports 80/443 for inbound.  Dns challenge relies on using an api to access your domain's dns settings to create a temporary TXT record with the validation token. Lets encrypt then verifies this token.

    https://letsencrypt.org/docs/challenge-types/ - look up dns-01 challenge

    Looks like certify the web does support dns challenge as well.  Who is your domain registrar?

  • 0 in reply to Jay Jay

    It's a few years ago, I counldn't [dns] not getting working, due to the fact that I don't have a direct access. There is a DNS in front of my own DNS, because I have only one static IP and not 2.

  • 0 in reply to HGA

    Who provides your dns?  Perhaps time to move?  I switched to cloudflare back in 2018. Their prices are competitive and features plentiful. I don't have a static ip either, rather a semistatic - changes about twice a decade. Dns challenge does not require a static ip.

Unfiltered HTML