Let's encrypt on WAF and internal Servers

Hi Folks,

 

just for information, I'm using UTM 9.5 with let#s encrpyt and WAF for several times now using the scripts and manual found here.

Now that it will be natively supported in 9.6 there are some things which I'm worried ybout.

  • I only have one external IP-Adress
  • I'm using certificates on WAF for external access
  • I'm using certificates directly on my internal webservers with internal DNS resolution to the external use
  • I have several site-path-rules to get an acme challenge acceptance
  • everything works fine with the current configuration

As I saw that I have to bind Let's encrypt to an interface with Port 80. As I remeber this would be exclusive available for acme challenge and I cannot use Port 80 as virtual Server under WAF.
So As I think I cannot use Let's encrypt on the internatl servers to do the acme challenge as I cannot forward the http request to these servers.

 

Can you confirm my thoughts about the problems I could face.

 

Thanks

Carsten

Parents
  • You can request a LE certificate from the UTM with ALL your certificates in it and then configure that LE certificate for all your virtual hosts. That way there's no need for LE's servers to directly access your webservers behind UTM.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • I know that I can use utm for all my internal servers.

    But I want my internal servers be available internal with their external adresses. So I don't need to contact WAF internal. An for this I need my internat servers to have a ssl certificate as well. For this I also use Let's encrypt on the servers internaly.

    Due to this I need my internal servers to get the acme challenge as well, which means I need port 80 to be distributed to internal servers and not only the utm to answer.

     

    Bye

    Carsten

Reply
  • I know that I can use utm for all my internal servers.

    But I want my internal servers be available internal with their external adresses. So I don't need to contact WAF internal. An for this I need my internat servers to have a ssl certificate as well. For this I also use Let's encrypt on the servers internaly.

    Due to this I need my internal servers to get the acme challenge as well, which means I need port 80 to be distributed to internal servers and not only the utm to answer.

     

    Bye

    Carsten

Children
No Data