This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

[HOWTO] Let's Encrypt

Hi all,

I have got a fully working Let's Encrypt setup for multiple domains of my Web Application Firewall on my Sophos UTM 9.4!

On github I have made a manual on how to set it up on your UTM as well. Currently it has a few manual steps to set it up, but I might script this in the future as well.

https://github.com/rklomp/sophos-utm-letsencrypt

Comments, questions and improvements are welcome! And please leave a message if you have got it working as well.

Have fun!

René
[Donate]



This thread was automatically locked due to age.
  • If you use the certificate reference of your current Let's Encrypt certificate the script will overwrite the contents of this certificate with the newly retrieved certificate.

    For testing purposes I would recommend creating a new certificate. This way you will keep your current Let's Encrypt certificate separate and you can easily roll back.

  • Yeah, I started looking through your code and decided it would be easier to just replace it in a while.  Unfortunately, between playing with certbot and your tool, I have hit my limit for the week (doh - shot self in foot).  I am simply trying to move away from the free StartSSL certs and was able to manually generate the cert I needed, but then decided to try your process.  I am still hesitant to execute code on the firewall like this and wish there was an easier way to manage this cert off the box.  I might look into that process if you don't mind me hacking away at your code to see if I can pull it off.  I will likely disable the version checking code in your script because I do not like the script (no offense intended) communicating to anything except Lets Encrypt.

  • Hi René,

    Thanks for such a great script. Just what I was looking for to use on my home project server.

    I think I've got everything working this end and my browsers now all show a happy green padlock....with one exception!

    It seems android does not recognise the CA properly? When reading around on this it mentions I might need to serve the intermediate cert using the fullchain.pem example here however i'm not sure how I would modify the script to do this, or even if it's possible with your method?

    Any help with this would be great, 

    Thanks again for the handy hack and enjoy a latte on me,

    James

  • No worries, seems to be working now, must have been caching the old cert or something

  • Thx for this tool! nice work.

    i was wondering however. You mention it is possible to save the ACME-challenge on another server through FTP, but sophos UTM doesn't include a FTP client. Is there a way tackle this?

    i would like to create a lets encrypt cert for my exchange server, wich obviously only works with Windows/IIS wich doesn't support SSH.

  • Hi Hans,

    I have not tested it using FTP, I only know the getssl script supports it.

    For my exchange server I use a linux machine to host the acme challenge and use Site Path Routing for path /.well-known/acme-challenge/ to this linux machine

  • Hi klompie,

    I mounted the smb share on a linux server and used ssh to upload it to the mount, it works.
    i only wondered if i did something wrong. When i check the certificate with https://www.ssllabs.com/ssltest/analyze.html, it mentions that the cert chain is incomplete. "This server's certificate chain is incomplete. Grade capped to B."

    i uploaded the Let’s Encrypt Authority X3 as CA cert.

    any idea?

  • What is the fingerprint of the intermediate certificate according to ssllabs?

     

  • This is the same fingerprint as the cert i've uploaded to UTM.

    2 Extra download Let's Encrypt Authority X3
    Fingerprint SHA1: e6a3b45b062d509b3382282d196efe97d5956ccb
    Pin SHA256: YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=

    RSA 2048 bits (e 65537) / SHA256withRSA
  • Can you have a look at what the ca parameter of your certificate is:

    #cc
    127.0.0.1 MAIN > OBJS
    Switched to OBJS mode.
    127.0.0.1 OBJS > ca
    127.0.0.1 OBJS ca > host_key_cert
    127.0.0.1 OBJS ca host_key_cert > <cert_name>

    One of the first lines should be something like: 'ca' => 'REF_CaVerXXXXXXX'

    You can just enter the value of ca directly on the cli to show if this is indeed the correct ca certificate.

    I have the idea that I should have the script update this parameter, because the UTM does not do it automatically.

    Example:

    127.0.0.1 OBJS ca host_key_cert > REF_CaHosLetsEncryp[Let's Encrypt,ca,host_key_cert] 
    Logged into object 'REF_CaHosLetsEncryp'. Use 'w' to write eventual changes.
    {
    'ca' => 'REF_CaVerLetsEncryp',
    ..
    ..
    }
    127.0.0.1 OBJS ca host_key_cert [REF_CaHosLetsEncryp] > REF_CaVerLetsEncryp
    Logged into object 'REF_CaVerLetsEncryp'. Use 'w' to write eventual changes.
    {
    ..
    Subject: C=US, O=Let\'s Encrypt, CN=Let\'s Encrypt Authority X3
    ..
    }