Web Server Security LetsEncrypt and WAF on Real Server

UTM Firewall requires membership for participation - click to join

Thread Info

State Not Answered
+1 person also asked this people also asked this
Locked Locked
Replies 3 replies
Subscribers 4 subscribers
Views 3644 views
Users 0 members are here

Options

Suggested

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

LetsEncrypt and WAF on Real Server

Pedulla over 3 years ago

UTM 9.705-7

No problem getting & renewing a LE cert in UTM's Certificate Management. Works great, lasts a long time ;)

Having a problem renewing my LE cert on the real web server behind WAF.

The virt profile for my real server is configured - Type: Encrypted (HTTPS) & redirect.

My LE log shows that when it does the http portion of the challenge

"url": "http://mydomain.com/.well-known/acme-challenge/XcPCjsRjZk__ATxYfZ_a24Yt-VFKey30cRS2recVpsL1GP2iTg"

it fails with an invalid response.

My workaround is to enable a NAT rule on port 80 to my real server and then manually run the certbot renew on my real server.

For what it matters, my real server is a LEMP stack.

Is "Encrypted (HTTPS) & redirect" incompatible with LE renewals? (aka anyone else having this issue?)

Do I need to setup a separate profile for http to my real server?

Is this covered somewhere and I just don't know the right search terms?

My goal is to have my real server auto renew on it's own fully behind WAF.

This thread was automatically locked due to age.

Top Replies

dirkkotte over 3 years ago +1

I think the HTTP to HTTPS redirect is performed before sitepath routing is able to send the packets to the other server. As i know, LE don't work using https. It allways need HTTP to the acme- script…

Parents

+1 dirkkotte over 3 years ago

I think the HTTP to HTTPS redirect is performed before sitepath routing is able to send the packets to the other server.

As i know, LE don't work using https. It allways need HTTP to the acme- script.

Dirk

Systema Gesellschaft für angewandte Datentechnik mbH // Sophos Platinum Partner
Sophos Solution Partner since 2003
If a post solves your question, click the 'Verify Answer' link at this post.
Cancel
Vote Up +1 Vote Down

Cancel
0 Pedulla over 3 years ago in reply to dirkkotte

Makes sense. So what's the right way to configure WAF so auto renewal can occur unattended?

2 profiles (443 & 80)
Cancel
Vote Up 0 Vote Down

Cancel
0 dirkkotte over 3 years ago in reply to Pedulla

Split Port 80 and 443 may make things easier.

Don't know if it is possible to redirect a special path "/le-script-path/" using "Site Path Routing" to your server and redirect all other to Port 443...

Dirk

Systema Gesellschaft für angewandte Datentechnik mbH // Sophos Platinum Partner
Sophos Solution Partner since 2003
If a post solves your question, click the 'Verify Answer' link at this post.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 dirkkotte over 3 years ago in reply to Pedulla

Split Port 80 and 443 may make things easier.

Don't know if it is possible to redirect a special path "/le-script-path/" using "Site Path Routing" to your server and redirect all other to Port 443...

Dirk

Systema Gesellschaft für angewandte Datentechnik mbH // Sophos Platinum Partner
Sophos Solution Partner since 2003
If a post solves your question, click the 'Verify Answer' link at this post.
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data