Thread Info
  • State Verified Answer
  • Replies 4 replies
  • Subscribers 5 subscribers
  • Views 1360 views
  • Users 0 members are here
Options
Suggested

Lets Encrypt via 2 virtual webservers/interfaces with different IPs

wge

System: Sophos UTM 9.719-3

Dear Sophos Community

We are using the Lets Encrypt bot for a certificate that is used by two different virtual web servers. For this bot, we can only select one external interface.
We have two external interfaces for high availability, and we have two web servers. One for each external interface.
If it were possible to make a virtual web server listen on multiple interfaces, I would only need one.

Both virtual web servers are located on different external interfaces/IPs.
Both are accessible via the same domain.
The external IPs of both interfaces are stored in the DNS.

If I want to use Lets Encrypt in this constellation, the LE service also tries to carry out the challenge via both IP addresses.
However, Sophos does not respond on the 2nd IP address as I can only select 1 interface for the LE bot.

log:
2024:06:18-14:31:14 gateway-2 letsencrypt[16148]: E Renew certificate: COMMAND_FAILED: ["error","detail"] "During secondary validation: ip-address-b: Invalid response from http://***.***/.well-known/acme-challenge/Tz_***: 403"
2024:06:18-14:31:14 gateway-2 letsencrypt[16148]: E Renew certificate: COMMAND_FAILED: ["error","status"] 403
2024:06:18-14:31:14 gateway-2 letsencrypt[16148]: E Renew certificate: COMMAND_FAILED: ["error"] {"type":"urn:ietf:params:acme:error:unauthorized","detail":"During secondary validation: ip-address-b: Invalid response from http://***.***/.well-known/acme-challenge/***s: 403","status":403}

atm, i need to delete one of the IPs manually from the dns for a manual renew of the certificate.

anyone have any ideas how i can achieve this without manual steps ?
would this work with an XGS firewall ?

Parents
  • +1

    It's a bug in the Sophos UTM.

    The workaround is to create separate dummy Let's Encrypt certificates for each domain/interface combination. Those certificates don't have to be used anywhere. Put something like "dummy workaround UTM bug" in their name so it's visible why they are there. Unfortunately, the Comment field in the "Add Certificate" panel is a black hole: unlike most other lists in the UTM, the certificates list doesn't render comments (another UTM bug...).

    Then, create the real multi-domain certificate you want to use for the two webservers and choose any of the two interfaces for it.

    I guess the reason why it works is that the UTM creates a shared /.well-known/acme-challenge/ directory that contains challenge files for all interfaces. And if a dummy certificate ensures their challenge is accessible via one interface, it "accidentally" also opens the challenge directory for other challenges.

    AFAIK, the XGS still doesn't have an integrated Let's Encrypt support, see  Sophos Firewall: [LetsEncrypt] How To in Sophos Firewall . I'm currently looking for a successor for our UTMs from a vendor that pays more attention to customer requirements than Sophos.

Reply
  • +1

    It's a bug in the Sophos UTM.

    The workaround is to create separate dummy Let's Encrypt certificates for each domain/interface combination. Those certificates don't have to be used anywhere. Put something like "dummy workaround UTM bug" in their name so it's visible why they are there. Unfortunately, the Comment field in the "Add Certificate" panel is a black hole: unlike most other lists in the UTM, the certificates list doesn't render comments (another UTM bug...).

    Then, create the real multi-domain certificate you want to use for the two webservers and choose any of the two interfaces for it.

    I guess the reason why it works is that the UTM creates a shared /.well-known/acme-challenge/ directory that contains challenge files for all interfaces. And if a dummy certificate ensures their challenge is accessible via one interface, it "accidentally" also opens the challenge directory for other challenges.

    AFAIK, the XGS still doesn't have an integrated Let's Encrypt support, see  Sophos Firewall: [LetsEncrypt] How To in Sophos Firewall . I'm currently looking for a successor for our UTMs from a vendor that pays more attention to customer requirements than Sophos.

Children
Unfiltered HTML