Reflexion will be End-of-life on March 31,2023. See Sophos Reflexion EoL FAQs to learn more.
UTM 9.705-7
No problem getting & renewing a LE cert in UTM's Certificate Management. Works great, lasts a long time ;)
Having a problem renewing my LE cert on the real web server behind WAF.
The virt profile for my real server is configured - Type: Encrypted (HTTPS) & redirect.
My LE log shows that when it does the http portion of the challenge
"url": "http://mydomain.com/.well-known/acme-challenge/XcPCjsRjZk__ATxYfZ_a24Yt-VFKey30cRS2recVpsL1GP2iTg"
My workaround is to enable a NAT rule on port 80 to my real server and then manually run the certbot renew on my real server.
For what it matters, my real server is a LEMP stack.
Is "Encrypted (HTTPS) & redirect" incompatible with LE renewals? (aka anyone else having this issue?)
Do I need to setup a separate profile for http to my real server?
Is this covered somewhere and I just don't know the right search terms?
My goal is to have my real server auto renew on it's own fully behind WAF.
I think the HTTP to HTTPS redirect is performed before sitepath routing is able to send the packets to the other server.
As i know, LE don't work using https. It allways need HTTP to the acme- script.
Dirk
Systema Gesellschaft für angewandte Datentechnik mbH // Sophos Platinum PartnerSophos Solution Partner since 2003 If a post solves your question, click the 'Verify Answer' link at this post.
Makes sense. So what's the right way to configure WAF so auto renewal can occur unattended?
2 profiles (443 & 80)
Split Port 80 and 443 may make things easier.
Don't know if it is possible to redirect a special path "/le-script-path/" using "Site Path Routing" to your server and redirect all other to Port 443...