[HOWTO] Let's Encrypt

Thx for this tool! nice work.

i was wondering however. You mention it is possible to save the ACME-challenge on another server through FTP, but sophos UTM doesn't include a FTP client. Is there a way tackle this?

i would like to create a lets encrypt cert for my exchange server, wich obviously only works with Windows/IIS wich doesn't support SSH.

Hi Hans,

I have not tested it using FTP, I only know the getssl script supports it.

For my exchange server I use a linux machine to host the acme challenge and use Site Path Routing for path /.well-known/acme-challenge/ to this linux machine

Hi klompie,

I mounted the smb share on a linux server and used ssh to upload it to the mount, it works.
i only wondered if i did something wrong. When i check the certificate with https://www.ssllabs.com/ssltest/analyze.html, it mentions that the cert chain is incomplete. "This server's certificate chain is incomplete. Grade capped to B."

i uploaded the Let’s Encrypt Authority X3 as CA cert.

any idea?

Hi klompie,

I mounted the smb share on a linux server and used ssh to upload it to the mount, it works.
i only wondered if i did something wrong. When i check the certificate with https://www.ssllabs.com/ssltest/analyze.html, it mentions that the cert chain is incomplete. "This server's certificate chain is incomplete. Grade capped to B."

i uploaded the Let’s Encrypt Authority X3 as CA cert.

any idea?

What is the fingerprint of the intermediate certificate according to ssllabs?

This is the same fingerprint as the cert i've uploaded to UTM.

Can you have a look at what the ca parameter of your certificate is:

#cc
127.0.0.1 MAIN > OBJS
Switched to OBJS mode.
127.0.0.1 OBJS > ca
127.0.0.1 OBJS ca > host_key_cert
127.0.0.1 OBJS ca host_key_cert > <cert_name>

One of the first lines should be something like: 'ca' => 'REF_CaVerXXXXXXX'

You can just enter the value of ca directly on the cli to show if this is indeed the correct ca certificate.

I have the idea that I should have the script update this parameter, because the UTM does not do it automatically.

Example:

127.0.0.1 OBJS ca host_key_cert > REF_CaHosLetsEncryp[Let's Encrypt,ca,host_key_cert] 
Logged into object 'REF_CaHosLetsEncryp'. Use 'w' to write eventual changes.
{
 'ca' => 'REF_CaVerLetsEncryp',
..
..
 }
127.0.0.1 OBJS ca host_key_cert [REF_CaHosLetsEncryp] > REF_CaVerLetsEncryp 
Logged into object 'REF_CaVerLetsEncryp'. Use 'w' to write eventual changes.
{
..
 Subject: C=US, O=Let\'s Encrypt, CN=Let\'s Encrypt Authority X3
..
}

Unknown said:

One of the first lines should be something like: 'ca' => 'REF_CaVerXXXXXXX'"

there is no line REF_CaVerXXXXXX when i use the "host_key_cert" command, only REF_CaHosXXXXX.
I can however find the certificate REF_CaVerLetsEncryAutho with command "verification_ca".
I copied the info of my host certificate.

127.0.0.1 OBJS ca host_key_cert > REF_CaHosXXXXXXXXXX[xxxxxxx,ca,host_key_cert]
Logged into object 'REF_CaHosxxxxxxx'. Use 'w' to write eventual changes.
{
'ca' => '',
'certificate' => 'Certificate:

I gues the 'ca' value need to be updated?

Hans Gooijen said:

I gues the 'ca' value need to be updated?

I have not yet been able to reproduce this. When I unset the ca value for my host certificate I still get the full certificate chain.

Can you have a look at the generated apache config file:

cat /var/chroot-reverseproxy/usr/apache/conf/reverseproxy.conf

Under the virtualhost with the corresponding server name there should be a SSLCACertificateFile configured. 

The same issue is also reported on github: https://github.com/rklomp/sophos-utm-letsencrypt/issues/1

It mentionons this value
SSLCACertificateFile /usr/apache/conf/ssl/REF_CaHosXXXXXXXXX.CAs
The files does exists.

Just wanted to update that the certificate chain issue is resolved. a couple of days ago the certificate was renewed, now that chain is ok.
Thx for your support.