Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 3 subscribers
  • Views 2426 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Let's Encrypt in UTM9 and IIS

Paul Kocher

Hi!

 

I'm still trying to figure out the easiest way to automatically renew/create certificates using LE in the UTM.

Now this is a neat feature but in the end, this is just the opposite manual work I have to do before we had the feature on the UTM:

Old way:

Create certificate using LE Win-Simple, install in IIS, download to local computer and upload it to the UTM.

 

New way:

Create certificate using LE integration in the UTM. Download cert to local computer, upload to server, install in IIS

 

So if I haven't missed something here, the feature is (apart from automatically creating certificates for the UTM WebAdmin) kind of useless.

 

Is there a way to use the certificate created by UTM without manually copying/installing it in IIS?

 



This thread was automatically locked due to age.
  • 0

    The use case where this makes sense is using WAF to publish the IIS website and don't need to care about the backend certificate. In cases where you use a split brain DNS config to reach an IIS webserver internally over one and externally over another IP it simply has no benefit because you still have to do manual uploads. But you could use an internal CA to care about the IIS certificate and let the UTM do the "external way". So it isn't useless at all but cannot fit all needs for automatic certificate deployments.

    Or another use case would be to publish the web admin / user portal with a LE certificate that is automatically trusted by the clients.

    Gruß / Regards,

    Kevin
    Sophos CE/CA (XG+UTM), Gold Partner

  • 0 in reply to kerobra_retired

    Well, you might let the UTM handle the LE certificate and then use a scripted solution with the UTM REST API to download the certificate to your webserver if it has been renewed.
    I've posted my Linux way some time ago in the 9.6 beta forum: https://community.sophos.com/products/unified-threat-management/unified-threat-management-beta/sophos-utm-9-6-beta/f/sophos-utm-9-6-public-beta/109535/let-s-encrypt-used-for

    I'm sure there is a way for Windows IIS too (PowerShell or Batch)...

    ----------
    Sophos user, admin and reseller.
    Private Setup:

    • XG: HPE DL20 Gen9 (Core i3-7300, 8GB RAM, 120GB SSD) | XG 18.0 (Home License) with: Web Protection, Site-to-Site-VPN (IPSec, RED-Tunnel), Remote Access (SSL, HTML5)
    • UTM: 2 vCPUs, 2GB RAM, 50GB vHDD, 2 vNICs on vServer (KVM) | UTM 9.7 (Home License) with: Email Protection, Webserver Protection, RED-Tunnel (server)
Unfiltered HTML