Hi,
in the announcement of 9.5 is a part native support for letsencrypt direct in interface. Is it available under the hood and can we active it already or did we have to wait for one of the next up2date pakets?
kind regards
Alex
Hi,
in the announcement of 9.5 is a part native support for letsencrypt direct in interface. Is it available under the hood and can we active it already or did we have to wait for one of the next up2date pakets?
kind regards
Alex
Last I heard, it wasn't going to make it to 9.5.
:-(
It is the thing I need most in Sophos UTM.
James.
Unfortunately we couldn't get Lets Encrypt in 9.5, but it is on our roadmap and something we want to add for sure.
For now, we are considering Lets Encrypt mainly for WAF.
Do you want to use Lets Encrypt with WAF, or something else?
i like to use it everywhere we have certificates (webadmin, waf, userportal, wifi hotspot)
this will be very usefull if you have a way to have it into a selection box in this dialogs. so you can use a local certificate or a lets encrypt one. A normaly pulldown entry in the chertification selection dialog will be ok for this use.
then is should be possible to ask for the certificate in the background.
kind regards
Alex
WAF would be the most important use for me, so I'm glad you are focusing on that.
But if you could make it a system-wide feature, that would be even better. Ie have it in Certificate Management section, and other areas just access the LE certificate that is created and managed there.
This would be a great feature and would be on the top of my list. (if i were an UTM programmer)
i try to sell these firewalls on AWS to customers. letsencrypt is often used in test environments or even production when the company is small or still being a startup.
i would also like to see this implemented, primary for WAF and the webadmin certificate.
Currently using a DIY solution with a linux box and a script with dehydrated (LE tool) through a cronjob ;) works but not as nice as integrated and maintained.
---
Sophos UTM 9.3 Certified Engineer
Thanks for the feedback all!
During the registration with Lets Encrypt, you have to prove you own the domain in question by placing a special file in a specific (externally-visible) location. The challenge is, if you're not using WAF, how will the UTM automatically expose this file externally to complete the Lets Encrypt registration?
For example, you may only want to use Lets Encrypt for WebAdmin (https://utm.company.com), but your company.com website is actually hosted & served somewhere else (not through the WAF on the UTM). If that's the case, the UTM cannot place the required file on your company.com website to complete the Lets Encrypt registration.
That's the challenge we are trying to work through, and that's why I said for Lets Encrypt we'll initially only focus on the WAF use-case.
Of course, once you create a Lets Encrypt certificate on the UTM through WAF, you can use that certificate elsewhere as well (e.g. webadmin). However we likely won't support creating a new Lets Encrypt certificate without WAF.
This is all under discussion/consideration, so any feedback you may have on this is definitely appreciated!
Thanks for the feedback all!
During the registration with Lets Encrypt, you have to prove you own the domain in question by placing a special file in a specific (externally-visible) location. The challenge is, if you're not using WAF, how will the UTM automatically expose this file externally to complete the Lets Encrypt registration?
For example, you may only want to use Lets Encrypt for WebAdmin (https://utm.company.com), but your company.com website is actually hosted & served somewhere else (not through the WAF on the UTM). If that's the case, the UTM cannot place the required file on your company.com website to complete the Lets Encrypt registration.
That's the challenge we are trying to work through, and that's why I said for Lets Encrypt we'll initially only focus on the WAF use-case.
Of course, once you create a Lets Encrypt certificate on the UTM through WAF, you can use that certificate elsewhere as well (e.g. webadmin). However we likely won't support creating a new Lets Encrypt certificate without WAF.
This is all under discussion/consideration, so any feedback you may have on this is definitely appreciated!
Let's Encrypt uses the ACME protocol and you can use also use DNS as method verifying ownership of the domain, so please make that an option as well.. The pfSense team has an Acme package and it's really easy to setup. So please use them as inspiration for your own implementation.
Sophos UTM 9.3 Certified Engineer
Sophos UTM 9.3 Certified Architect
Sophos XG v.15 Certified Engineer
Sophos XG v.17 Certified Engineer
Sophos XG v.17 Certified Architect
Yes we have looked at their implementation, but the challenge is the UTM may not be in charge of the DNS infrastructure either.
The issue isn't about the ACME protocol, but is about how to prove ownership of the domain when WAF isn't being used.
id be happy to just have it for WAF. Webadmin is optional i guess, its not such a "public" accessed site.
---
Sophos UTM 9.3 Certified Engineer
I know, but it doesn't change the fact that you could let us do the challenge by DNS using a manual txt record or by automating it with an api key from one of the bigger dns providers (if the domain is hosted by them)
Sophos UTM 9.3 Certified Engineer
Sophos UTM 9.3 Certified Architect
Sophos XG v.15 Certified Engineer
Sophos XG v.17 Certified Engineer
Sophos XG v.17 Certified Architect
i automated it with a cronjob script on a linux box, it uses the api of cloudflare, maybe wanna have a look as a temporary solution? ill pm you details if wanted.
---
Sophos UTM 9.3 Certified Engineer
I have the exact same setup :) I'm just wondering why they can't give us more options when others can
Sophos UTM 9.3 Certified Engineer
Sophos UTM 9.3 Certified Architect
Sophos XG v.15 Certified Engineer
Sophos XG v.17 Certified Engineer
Sophos XG v.17 Certified Architect
Hi Kenneth,
You might check in Ideas to see if there's already such a suggestion or make one there and then come back here and share a link to it. Griping here is a waste of energy.
Cheers - Bob
I've already voted!
Thanks for the suggestion Bob.
You can use DNS and not have it have control of DNS. It just takes a few extra steps on the end user. I have several servers that I have to do this with and all I have to do is add the required update to my DNS server and wait a few minutes for it to populate. Once that is done, I am able to have the certificates issued. This might be one way to implement it for all areas of the UTM.
This is just my 2 cents.
Thanks,
Eddie