[HOWTO] Let's Encrypt

i made a script that utilizes dehydrated + dns challenge for getting the certs via a linux box (i use a docker instance), this one connects via ssh puts the files on the sophos and cleans up after itself, so no need to install or modifiy anything on the sophos really.

https://github.com/Optic00/utm_le_updater

its pretty much hack'n'slay put together but works fine so far, you'll need some basic knowledge on linux and i can't provide support, but its fully automated and doesn't require a running webserver due to dns (you need a dns service with API, i use cloudflare) 

how to get the cc command working, am I correct in typing the cc in the utm terminal? I always get bash: cc: command not found?

Also is it possible to use a letsencrypt certificate for the utm itself, for the userinterface?

Max, you must be logged in as root.

Cheers - Bob

Alone among the logs, the Firewall Live Log presents abbreviated information in a format easier to read quickly.  Usually, you can't troubleshoot without looking at the corresponding line from the full Firewall log file.  Please post the line corresponding to that above.

Cheers - Bob

Seems like creating a chroot to serve the various required acme challenges for your domains would be a nice addition to this. Just set a folder path for your virtual sites for the well known acme challenge requests to route to the utm real web server setup setup for that domains challenge. That way there wouldn't be any need to mess with network mounts/ssh, etc.

Only thing I'm not sure about with such an approach though is if the web server protection module would actually be able to handle such a task.  I say this because I tried once to setup a virtual web server for the utm web admin site itself, thus allowing me to point utm.domain.com to the utm web admin site (obviously not secure Yea but that's not the point I'm making here).  The idea was to let me hit the admin site via 443 while still being able to have other sites rerouted though the utm as well.  Problem is, I noticed in the logs the redirect internally was to the local loop back address, and utm web admin settings doesn't let you allow local loop back as an allowed interface to connect to it.  Thus I suspect trying to do the same for acme challenges might run into the same challenge, so perhaps a secondary web server on an internal vm somewhere could point back to the utm address/port for serving up the response for that domain.

Thoughts?

EDIT:  Ahhh, DNS-01 challenges was the key.

Has anyone tried this on SFOS 16.05, or is this strictly a UTM v9.x solution?

I have spend many hours in this. First i would use a wildcard, but i noticed its not (yet) supported. 

So, first i will use only the cert for "sub.domain.de".

If i edit the domain config in my case to "ACL=('ssh:administrator@sub.domain.de:/var/www/html/.well-known/acme-challenge')"

the script would connect to the public ip instead of the webserver behind the WAF.

The same with the "ssh-copy-id <user>@<server>"

so i have to use the "intern" IP of the webserver behind the WAF -> ssh-copy-id administrator@192....

It is possible to use for the ACL= the IP? If i use the ip in the ACL, i get an error: getssl: problem copying file to the server using scp.
        scp /root/.getssl/sub.domain.de/tmp/... administrator@192....:/var/www/html/.well-known/acme-challenge/...

With "ssh -i /root/ssh_key_file administrator@192...." i can connect to the webserver behind the WAF.

Hi,

I am using the UTM at home and I would like to use it as reverse proxy.

One of my server is a windows server. I am currently using Let's encrypt to have a certificate on it.

I am blocked at ACL=('ssh:<user>@<server>:/var/www/.well-known/acme-challenge')

Is it possible to store the file directly on the utm ?

Thanks,

Laurent.

Any way to get this updated to work with ACMEv2 and wildcard support?

i switched to a linux box (docker) with dehydrated and upload certs via ssh. Also pushing those certs to other appliances (like paloalto)

i am working on a manual, but it allready supports wildcard certs (via dehydrated)