This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

[HOWTO] Let's Encrypt

Hi all,

I have got a fully working Let's Encrypt setup for multiple domains of my Web Application Firewall on my Sophos UTM 9.4!

On github I have made a manual on how to set it up on your UTM as well. Currently it has a few manual steps to set it up, but I might script this in the future as well.

https://github.com/rklomp/sophos-utm-letsencrypt

Comments, questions and improvements are welcome! And please leave a message if you have got it working as well.

Have fun!

René
[Donate]



This thread was automatically locked due to age.
Parents
  • Silly question, I read that installing let's encrypt cert won't work for https decrypt/encrypt in web protection 

  • That is true. 

    You cannot use a public signed CA for SSL decryption. 

    It would break the TLS/SSL Security technology. 

    __________________________________________________________________________________________________________________

  • So the alternative would be what?

  • I know that your comment that "it would break the TLS/SSL Security technology" is true, MBP, but I never asked why.  Can you expand on why this is the case?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Unknown said:

    So the alternative would be what?

     

    Install the UTM-generated SSL certificate into your systems.  Like this: https://community.sophos.com/kb/en-us/115315#How%20to%20deploy%20the%20Proxy%20CA - note that using the Active Directory deployment method doesn't cover Firefox because years ago Firefox divorced it's certificate management from Windows and there is no "easy" way to deploy that certificate on a mass scale - unless someone has access to GPO templates that include the Firefox certificate store since the last time I looked for some.

    The steps in that article are a bit light on how to do that AD import, but this article for their web gateway applies https://community.sophos.com/kb/en-us/42153#GPMC - just use the cert you download from the AD step in the previous article in step 8 from this link to the "Installing the CA with Group Policy Using the Group Policy Management Console (GPMC)" procedure.

  • Simple - You are performaning a Man-in-the-middle attack. 

    The Browser wants to warn the user, so he shows the user, this certificate is untrusted. 

    Why is it untrusted? XG/UTM gives the client a Certificate for, lets say, google.com

    So the Browser shows the user, something is wrong with the certificate of this page and tries to warn the user.

    You can workaround this and give the browser the root ca of XG/UTM and the browser knows, this will happen and does not show any alert.

    What happens, if you could use a public signed certificate for this? You would have a "trusted" CA, which could create a certificate for google and all clients on earth would trust it. 

    So basically you could go to a hub and perform a man in the middle attack without any user notice and you could read the whole encrypted traffic. 

    At this point, we can stop doing TLS at all. 

    For sure, i understand the need of "don´t push any CA to the clients". It would be lovely to perform HTTPS decryption for your Guest network. Many schools asks for this to have more security over their network of the students. 

    Hope this helps. 

    __________________________________________________________________________________________________________________

Reply
  • Simple - You are performaning a Man-in-the-middle attack. 

    The Browser wants to warn the user, so he shows the user, this certificate is untrusted. 

    Why is it untrusted? XG/UTM gives the client a Certificate for, lets say, google.com

    So the Browser shows the user, something is wrong with the certificate of this page and tries to warn the user.

    You can workaround this and give the browser the root ca of XG/UTM and the browser knows, this will happen and does not show any alert.

    What happens, if you could use a public signed certificate for this? You would have a "trusted" CA, which could create a certificate for google and all clients on earth would trust it. 

    So basically you could go to a hub and perform a man in the middle attack without any user notice and you could read the whole encrypted traffic. 

    At this point, we can stop doing TLS at all. 

    For sure, i understand the need of "don´t push any CA to the clients". It would be lovely to perform HTTPS decryption for your Guest network. Many schools asks for this to have more security over their network of the students. 

    Hope this helps. 

    __________________________________________________________________________________________________________________

Children
No Data