This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

[HOWTO] Let's Encrypt

Hi all,

I have got a fully working Let's Encrypt setup for multiple domains of my Web Application Firewall on my Sophos UTM 9.4!

On github I have made a manual on how to set it up on your UTM as well. Currently it has a few manual steps to set it up, but I might script this in the future as well.

https://github.com/rklomp/sophos-utm-letsencrypt

Comments, questions and improvements are welcome! And please leave a message if you have got it working as well.

Have fun!

René
[Donate]



This thread was automatically locked due to age.
  • Unknown said:
    One of the first lines should be something like: 'ca' => 'REF_CaVerXXXXXXX'"

    there is no line REF_CaVerXXXXXX when i use the "host_key_cert" command, only REF_CaHosXXXXX.
    I can however find the certificate REF_CaVerLetsEncryAutho with command "verification_ca".
    I copied the info of my host certificate.

     

    127.0.0.1 OBJS ca host_key_cert > REF_CaHosXXXXXXXXXX[xxxxxxx,ca,host_key_cert]
    Logged into object 'REF_CaHosxxxxxxx'. Use 'w' to write eventual changes.
    {
    'ca' => '',
    'certificate' => 'Certificate:

     

    I gues the 'ca' value need to be updated?

  • Hi René, hi guys,

    I don´t get a crt-file, I only have a csr and key file. I execute the command ./getssl -f -d mydomain.com and get the following message:

    ./getssl: line 472: -4: substring expression < 0

    What have I done wrong? Any suggestions?

    Thanks in advance.

    Greets

    Sérgio

  • Hans Gooijen said:

    I gues the 'ca' value need to be updated?

     

    I have not yet been able to reproduce this. When I unset the ca value for my host certificate I still get the full certificate chain.

    Can you have a look at the generated apache config file:

    cat /var/chroot-reverseproxy/usr/apache/conf/reverseproxy.conf

    Under the virtualhost with the corresponding server name there should be a SSLCACertificateFile configured. 

     

     

     

    The same issue is also reported on github: https://github.com/rklomp/sophos-utm-letsencrypt/issues/1

     

  • Unknown said:
    I don´t get a crt-file, I only have a csr and key file. I execute the command ./getssl -f -d mydomain.com and get the following message:

    ./getssl: line 472: -4: substring expression < 0

     

    Have you been able to solve this already?

  • It mentionons this value
    SSLCACertificateFile /usr/apache/conf/ssl/REF_CaHosXXXXXXXXX.CAs
    The files does exists.

  • Hello René,

    First of all, thank for your script and for clearly written instructions. Great work.

    Despite following it step-by-step I encountered a problem: when running the script all seems to work, the certificate can indeed by found in the indicated location but the certificate Sophos uses is not updated... it even says in the output "Updating certificate meta to object None".

    The message seems clear but I have no clue in how to fix it.

    To be complete, I had to deviate from your tutorial by removing "/root/" from SSLCONF="/root/openssl.cnf" in the "getssl.cfg" file else "openssl.cnf" was not found.

    This is the output (I replaced my actual domain by "domain.com")

    ./getssl -f domain.com
    Registering account
    Verify each domain
    Verifying domain.com
    domain.com is already validated
    Verification completed, obtaining certificate.
    Certificate saved in .getssl/domain.com/domain.com.crt
    The intermediate CA cert is in .getssl/domain.com/chain.crt
    reloading SSL services
    Writing certificate for ddomain.com to object REF_uEztNJUMGUypRE
    Updating certificate meta to object None
    Done!
    getssl: domain.com - certificate obtained but certificate on server is different from the new certificate

    Any pointers towards troubleshooting this? I double checked the reference, used the original certificate and created a dummy one to be overwritten.

    Thank you very much for your feedback.

    With best regards,

    ShadowHunter

  • Fixed it... It turned out I was copy/pasting all the time "getssl -c", didn't even pay attention to it... when running it normally, all is updated smoothly.

     

    Until Sophos implements it... this is a great way to go!

     

    Again thank you René for your script.

     

    With best regards,

     

    ShadowHunter

     

     

     

  • Just wanted to update that the certificate chain issue is resolved. a couple of days ago the certificate was renewed, now that chain is ok.
    Thx for your support.

  • Someone know if this method works for generating SAN certificate?

    Or do we need to generate for each URL?

    It seems like let's encrypt does support SAN certificate (https://letsencrypt.org/docs/faq/)

     

  • Yes you can. Use the SANS configuration parameter for this.