Thread Info
  • State Not Answered
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 3 replies
  • Subscribers 4 subscribers
  • Views 1632 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

LetsEncrypt and WAF on Real Server

Pedulla

UTM 9.705-7

No problem getting & renewing a LE cert in UTM's Certificate Management.  Works great, lasts a long time ;)

Having a problem renewing my LE cert on the real web server behind WAF.

The virt profile for my real server is configured - Type: Encrypted (HTTPS) & redirect.

My LE log shows that when it does the http portion of the challenge 

"url": "http://mydomain.com/.well-known/acme-challenge/XcPCjsRjZk__ATxYfZ_a24Yt-VFKey30cRS2recVpsL1GP2iTg"
it fails with an invalid response.

My workaround is to enable a NAT rule on port 80 to my real server and then manually run the certbot renew on my real server.

For what it matters, my real server is a LEMP stack.

Is "Encrypted (HTTPS) & redirect" incompatible with LE renewals?  (aka anyone else having this issue?)

Do I need to setup a separate profile for http to my real server?

Is this covered somewhere and I just don't know the right search terms?

My goal is to have my real server auto renew on it's own fully behind WAF.



This thread was automatically locked due to age.
Parents
  • +1

    I think the HTTP to HTTPS redirect is performed before sitepath routing is able to send the packets to the other server.

    As i know, LE don't work using https. It allways need HTTP to the acme- script.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • 0 in reply to dirkkotte

    Makes sense.  So what's the right way to configure WAF so auto renewal can occur unattended?

    2 profiles (443 & 80)

Reply Children
  • 0 in reply to Pedulla

    Split Port 80 and 443 may make things easier.

    Don't know if it is possible to redirect a special path "/le-script-path/" using "Site Path Routing" to your server and redirect all other to Port 443...


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

Unfiltered HTML