This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Lets Encrypt via 2 virtual webservers/interfaces with different IPs

System: Sophos UTM 9.719-3

Dear Sophos Community

We are using the Lets Encrypt bot for a certificate that is used by two different virtual web servers. For this bot, we can only select one external interface.
We have two external interfaces for high availability, and we have two web servers. One for each external interface.
If it were possible to make a virtual web server listen on multiple interfaces, I would only need one.

Both virtual web servers are located on different external interfaces/IPs.
Both are accessible via the same domain.
The external IPs of both interfaces are stored in the DNS.

If I want to use Lets Encrypt in this constellation, the LE service also tries to carry out the challenge via both IP addresses.
However, Sophos does not respond on the 2nd IP address as I can only select 1 interface for the LE bot.

log:
2024:06:18-14:31:14 gateway-2 letsencrypt[16148]: E Renew certificate: COMMAND_FAILED: ["error","detail"] "During secondary validation: ip-address-b: Invalid response from http://***.***/.well-known/acme-challenge/Tz_***: 403"
2024:06:18-14:31:14 gateway-2 letsencrypt[16148]: E Renew certificate: COMMAND_FAILED: ["error","status"] 403
2024:06:18-14:31:14 gateway-2 letsencrypt[16148]: E Renew certificate: COMMAND_FAILED: ["error"] {"type":"urn:ietf:params:acme:error:unauthorized","detail":"During secondary validation: ip-address-b: Invalid response from http://***.***/.well-known/acme-challenge/***s: 403","status":403}

atm, i need to delete one of the IPs manually from the dns for a manual renew of the certificate.

anyone have any ideas how i can achieve this without manual steps ?
would this work with an XGS firewall ?



This thread was automatically locked due to age.
Parents
  • It's a bug in the Sophos UTM.

    The workaround is to create separate dummy Let's Encrypt certificates for each domain/interface combination. Those certificates don't have to be used anywhere. Put something like "dummy workaround UTM bug" in their name so it's visible why they are there. Unfortunately, the Comment field in the "Add Certificate" panel is a black hole: unlike most other lists in the UTM, the certificates list doesn't render comments (another UTM bug...).

    Then, create the real multi-domain certificate you want to use for the two webservers and choose any of the two interfaces for it.

    I guess the reason why it works is that the UTM creates a shared /.well-known/acme-challenge/ directory that contains challenge files for all interfaces. And if a dummy certificate ensures their challenge is accessible via one interface, it "accidentally" also opens the challenge directory for other challenges.

    AFAIK, the XGS still doesn't have an integrated Let's Encrypt support, see  Sophos Firewall: [LetsEncrypt] How To in Sophos Firewall . I'm currently looking for a successor for our UTMs from a vendor that pays more attention to customer requirements than Sophos.

  • Thank you very much. The workaround works. The first attempt did not work. After I started the renew for both combinations at the same time, it worked without any problems. I hope that the autorenew also starts at the same time :D

  • Great to hear it works for you, too. By the way: I'd recommend to install an SSL/TLS certificate monitor that warns you when a certificate is about to expire. E.g. site24x7.eu (5 free) or trackssl.com (2 free) oder hetrixtools.com (15 free, but a bit more complicated to configure).  Got burned recently because our admin didn't act upon the UTM's warning that the Let's Encrypt TOS have changed and need manual disable/enable of the LE functionality...

Reply
  • Great to hear it works for you, too. By the way: I'd recommend to install an SSL/TLS certificate monitor that warns you when a certificate is about to expire. E.g. site24x7.eu (5 free) or trackssl.com (2 free) oder hetrixtools.com (15 free, but a bit more complicated to configure).  Got burned recently because our admin didn't act upon the UTM's warning that the Let's Encrypt TOS have changed and need manual disable/enable of the LE functionality...

Children
No Data