This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

[HOWTO] Let's Encrypt

Hi all,

I have got a fully working Let's Encrypt setup for multiple domains of my Web Application Firewall on my Sophos UTM 9.4!

On github I have made a manual on how to set it up on your UTM as well. Currently it has a few manual steps to set it up, but I might script this in the future as well.

https://github.com/rklomp/sophos-utm-letsencrypt

Comments, questions and improvements are welcome! And please leave a message if you have got it working as well.

Have fun!

René
[Donate]



This thread was automatically locked due to age.
Parents
  • Thx for this tool! nice work.

    i was wondering however. You mention it is possible to save the ACME-challenge on another server through FTP, but sophos UTM doesn't include a FTP client. Is there a way tackle this?

    i would like to create a lets encrypt cert for my exchange server, wich obviously only works with Windows/IIS wich doesn't support SSH.

  • Hi Hans,

    I have not tested it using FTP, I only know the getssl script supports it.

    For my exchange server I use a linux machine to host the acme challenge and use Site Path Routing for path /.well-known/acme-challenge/ to this linux machine

  • Hi klompie,

    I mounted the smb share on a linux server and used ssh to upload it to the mount, it works.
    i only wondered if i did something wrong. When i check the certificate with https://www.ssllabs.com/ssltest/analyze.html, it mentions that the cert chain is incomplete. "This server's certificate chain is incomplete. Grade capped to B."

    i uploaded the Let’s Encrypt Authority X3 as CA cert.

    any idea?

  • What is the fingerprint of the intermediate certificate according to ssllabs?

     

  • This is the same fingerprint as the cert i've uploaded to UTM.

    2 Extra download Let's Encrypt Authority X3
    Fingerprint SHA1: e6a3b45b062d509b3382282d196efe97d5956ccb
    Pin SHA256: YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=

    RSA 2048 bits (e 65537) / SHA256withRSA
  • Can you have a look at what the ca parameter of your certificate is:

    #cc
    127.0.0.1 MAIN > OBJS
    Switched to OBJS mode.
    127.0.0.1 OBJS > ca
    127.0.0.1 OBJS ca > host_key_cert
    127.0.0.1 OBJS ca host_key_cert > <cert_name>

    One of the first lines should be something like: 'ca' => 'REF_CaVerXXXXXXX'

    You can just enter the value of ca directly on the cli to show if this is indeed the correct ca certificate.

    I have the idea that I should have the script update this parameter, because the UTM does not do it automatically.

    Example:

    127.0.0.1 OBJS ca host_key_cert > REF_CaHosLetsEncryp[Let's Encrypt,ca,host_key_cert] 
    Logged into object 'REF_CaHosLetsEncryp'. Use 'w' to write eventual changes.
    {
    'ca' => 'REF_CaVerLetsEncryp',
    ..
    ..
    }
    127.0.0.1 OBJS ca host_key_cert [REF_CaHosLetsEncryp] > REF_CaVerLetsEncryp
    Logged into object 'REF_CaVerLetsEncryp'. Use 'w' to write eventual changes.
    {
    ..
    Subject: C=US, O=Let\'s Encrypt, CN=Let\'s Encrypt Authority X3
    ..
    }
Reply
  • Can you have a look at what the ca parameter of your certificate is:

    #cc
    127.0.0.1 MAIN > OBJS
    Switched to OBJS mode.
    127.0.0.1 OBJS > ca
    127.0.0.1 OBJS ca > host_key_cert
    127.0.0.1 OBJS ca host_key_cert > <cert_name>

    One of the first lines should be something like: 'ca' => 'REF_CaVerXXXXXXX'

    You can just enter the value of ca directly on the cli to show if this is indeed the correct ca certificate.

    I have the idea that I should have the script update this parameter, because the UTM does not do it automatically.

    Example:

    127.0.0.1 OBJS ca host_key_cert > REF_CaHosLetsEncryp[Let's Encrypt,ca,host_key_cert] 
    Logged into object 'REF_CaHosLetsEncryp'. Use 'w' to write eventual changes.
    {
    'ca' => 'REF_CaVerLetsEncryp',
    ..
    ..
    }
    127.0.0.1 OBJS ca host_key_cert [REF_CaHosLetsEncryp] > REF_CaVerLetsEncryp
    Logged into object 'REF_CaVerLetsEncryp'. Use 'w' to write eventual changes.
    {
    ..
    Subject: C=US, O=Let\'s Encrypt, CN=Let\'s Encrypt Authority X3
    ..
    }
Children
  • Unknown said:
    One of the first lines should be something like: 'ca' => 'REF_CaVerXXXXXXX'"

    there is no line REF_CaVerXXXXXX when i use the "host_key_cert" command, only REF_CaHosXXXXX.
    I can however find the certificate REF_CaVerLetsEncryAutho with command "verification_ca".
    I copied the info of my host certificate.

     

    127.0.0.1 OBJS ca host_key_cert > REF_CaHosXXXXXXXXXX[xxxxxxx,ca,host_key_cert]
    Logged into object 'REF_CaHosxxxxxxx'. Use 'w' to write eventual changes.
    {
    'ca' => '',
    'certificate' => 'Certificate:

     

    I gues the 'ca' value need to be updated?

  • Hans Gooijen said:

    I gues the 'ca' value need to be updated?

     

    I have not yet been able to reproduce this. When I unset the ca value for my host certificate I still get the full certificate chain.

    Can you have a look at the generated apache config file:

    cat /var/chroot-reverseproxy/usr/apache/conf/reverseproxy.conf

    Under the virtualhost with the corresponding server name there should be a SSLCACertificateFile configured. 

     

     

     

    The same issue is also reported on github: https://github.com/rklomp/sophos-utm-letsencrypt/issues/1

     

  • It mentionons this value
    SSLCACertificateFile /usr/apache/conf/ssl/REF_CaHosXXXXXXXXX.CAs
    The files does exists.

  • Just wanted to update that the certificate chain issue is resolved. a couple of days ago the certificate was renewed, now that chain is ok.
    Thx for your support.