So, I have a bunch of web servers on my DMZ that are natted externally with static IPs on my UTM using the classic DNAT/SNAT rules. It all works well except when I generate a new let's encrypt certificate or I try to renew an existing one (either manually or allowing the UTM to do its automatic bit). The only way out that I have been able to master so far is to manually disable the DNAT/SNAT rules, force a manual renew (which works) and then re-enable DNAT/SNAT until next time. Has anyone have gone through a similar issue? What am I doing wrong/not doing? (No, I do not use country blocking, and yes port 80 and 443 are open on the firewall rules). Below is a sample of the log, I'll appreciate any advice.
you don't anything wrong... That's by design.
DNAT take precedence before WAF (WAF is used for LE-certificate exchange).
Compare packetflow within Bobs RULZ: community.sophos.com/.../rulzIf a packed is routed by NAT, WAF don't "see" the packet anymore.
Sophos Solution Partner since 2003 If a post solves your question, click the 'Verify Answer' link at this post.
Thanks, and that makes the let'secrypt certificates renew option on the web application firewall quite a useless implementation...
no. if you use WAF at Sophos this is the perfect solution.
because WAF is more secure tham DNAT, we move from DNAT to WAF the webservers.
If you (or we) wish to mix DNAT Port80/443 and WAF you need a second external IP.
For which services you need the certificates ... if not WAF?
LE uses only port 80 for handshaking ... so NATing Port 443 should be possible.