This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WAF - Let's Encrypt SSL

What's the proper way of handling this scenario?

I want all traffic to be https. I have a Linux Web server that hosts a few websites behind the UTM and they all share the same IP address (SNI). It is NGINX->Varnish->Apache and the control panel that I use can auto-renew Let's Encrypt SSL certs for each domain. I use the Sophos WAF with Let's Encrypt certs.

Am I supposed to not use the Let's Encrypt functionality of the Linux control panel and only use certs in Sophos UTM, point the WAF HTTPS Virtual Webserver to a WAF HTTP Real Webserver?

Or do I set both the Linux control panel and the UTM to auto-update Let's Encrypt certs and point the WAF HTTPS Virtual Webserver to a WAF HTTPS Real Webserver?

With the latter option, the UTM and the server will each have different certs for each domain. What issues will arise from that? What issues will be encountered with the first option?

I’m assuming the correct way of handling this situation would be to duplicate the WAF cert on the web server, or vice versa, and point the WAF HTTPS Virtual Webserver to a WAF HTTPS Real Webserver but doesn’t that mean that both the UTM and the Linux webserver are encrypting the traffic? I have no clue on how to duplicate the certs so both use the same certs. I’m confused???

This thread was automatically locked due to age.
  • When you say they all share the same IP address, I take it they all use different ports?

  • No. Same port (443). The Linux webserver uses Server Name Indication (SNI). As such, all of my Sophos WAF HTTPS Virtual Webservers use the same WAF Real Webserver and pass the host headers to the Linux server.

    Sophos UTM 9.719-3 - Home User
    Virtual machine on Dell Optiplex 3070
    i3-9100 @ 3.60 GHz, 16 GB RAM