This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

[HOWTO] Let's Encrypt

Hi all,

I have got a fully working Let's Encrypt setup for multiple domains of my Web Application Firewall on my Sophos UTM 9.4!

On github I have made a manual on how to set it up on your UTM as well. Currently it has a few manual steps to set it up, but I might script this in the future as well.

https://github.com/rklomp/sophos-utm-letsencrypt

Comments, questions and improvements are welcome! And please leave a message if you have got it working as well.

Have fun!

René
[Donate]



This thread was automatically locked due to age.
  • Great!

    Thanks for the quick reply. 

    I will give it a try later!

  • Hi René

    Thx a lot for your work. In the past I used StartSSL SAN Certificates which I wanted/had to replace with let's encrypt certificates. 

    However when I first found your Script they didn't work out for me as I use the UTM with a Home License in a very small Lab environment with several vhosts with different hostnames which all point to one single linux server in my internal network. This made the verifying thing kind of complicated (at least for me) and using DNS Challenge was not really an option because my Hurricane Electrics DNS Setup was not capable to add and delete the needed DNS Entries (at least for me :)).

    So I went on and moved all my DNS entries to an other DNS provider which supports API and I used your script again with DNS-01 challenge and DNS hook scripts which worked flawlessly from scratch. 

    Thx a lot for sharing your script!

    Regards,

    Doemer

  • Please forgive my lack of knowledge. I'm not sure of the syntax to find the certificate I want to replace. I can't get the certificate Reference using cc.

    Please can anyone help???

  • Hello,

    What host/domain must I used when ?

    utm-router hostname utm.Mydomain.de

    virutal Webserver hostname mydomain.de

     

     

  • use the hostname of the firewall, with a SAN of the domain as you listed it.  Or the other way around.  As long as both are listed you are fine.

  • Doemer,

     

    If you do not mind sharing can you please let me know what DNS provider you moved to. I am currently using HE for DNS and would like to move some of my SSL based sites back behind the WAF if I could get LetsEncrypt working on my UTM.

     

    TIA

    Ron

  • So the only part about those instructions that I'm confused about is the :

     

    Set ACL; The directory where to copy acme challenge file to. This should be the server that is serving the yourdomain.com webpages. Also create the folder on the server and test if http://yourdomain.com/.well-known/acme-challenge/ is reachable and if you can ssh from the UTM to the server. Maybe you need to add a firewall rulle to allow traffic.

    ACL=('ssh:<user>@<server>:/var/www/.well-known/acme-challenge')

     

    How did you set this path for your firewall directly on the UTM?

     

    I should clarify, I'm not hosting any other websites, I just want this to secure my firewall itself (gateway.mydomain.net)

  • Hi, I just had a quick noob question.

    is the purpose of copying the ACME challenge to ./well-known/acme-challenge supposed to be used to make the cert renewal on my ubuntu server work?

     

    I will need to update the cert on both the UTM and my webserver if I'm not mistaken and I'm ignorant to if running the renew on two separate hosts will create two different certs, which will make this not work if I'm not mistaken.

     

    Please forgive any weird logic I'm having as I'm new to this and self-learning.

  • For some reason certbot does not wanna work for me so I'm just going to modify the script to scp the .key and .crt files directly to my ubuntu server's cert directory.

  • SoulDragon said:

    For some reason certbot does not wanna work for me so I'm just going to modify the script to scp the .key and .crt files directly to my ubuntu server's cert directory.

     

     
    In UTM I created a virtual websever for https and used the certificate to pass the domain to the real webserver. The certificate is not required on the ubuntu server. Some ISP tools however may require a certificate to work with, but that can be a self signed one. UTM will pass the domain name to the ubuntu server, but keeps the certificate active.