System: Sophos UTM 9.719-3
Dear Sophos Community
We are using the Lets Encrypt bot for a certificate that is used by two different virtual web servers. For this bot, we can only select one external interface.
We have two external interfaces for high availability, and we have two web servers. One for each external interface.
If it were possible to make a virtual web server listen on multiple interfaces, I would only need one.
Both virtual web servers are located on different external interfaces/IPs.
Both are accessible via the same domain.
The external IPs of both interfaces are stored in the DNS.
If I want to use Lets Encrypt in this constellation, the LE service also tries to carry out the challenge via both IP addresses.
However, Sophos does not respond on the 2nd IP address as I can only select 1 interface for the LE bot.
log:
2024:06:18-14:31:14 gateway-2 letsencrypt[16148]: E Renew certificate: COMMAND_FAILED: ["error","detail"] "During secondary validation: ip-address-b: Invalid response from http://***.***/.well-known/acme-challenge/Tz_***: 403"
2024:06:18-14:31:14 gateway-2 letsencrypt[16148]: E Renew certificate: COMMAND_FAILED: ["error","status"] 403
2024:06:18-14:31:14 gateway-2 letsencrypt[16148]: E Renew certificate: COMMAND_FAILED: ["error"] {"type":"urn:ietf:params:acme:error:unauthorized","detail":"During secondary validation: ip-address-b: Invalid response from http://***.***/.well-known/acme-challenge/***s: 403","status":403}
atm, i need to delete one of the IPs manually from the dns for a manual renew of the certificate.
anyone have any ideas how i can achieve this without manual steps ?
would this work with an XGS firewall ?