Let's encrypt on WAF and internal Servers

Hi Folks,

 

just for information, I'm using UTM 9.5 with let#s encrpyt and WAF for several times now using the scripts and manual found here.

Now that it will be natively supported in 9.6 there are some things which I'm worried ybout.

  • I only have one external IP-Adress
  • I'm using certificates on WAF for external access
  • I'm using certificates directly on my internal webservers with internal DNS resolution to the external use
  • I have several site-path-rules to get an acme challenge acceptance
  • everything works fine with the current configuration

As I saw that I have to bind Let's encrypt to an interface with Port 80. As I remeber this would be exclusive available for acme challenge and I cannot use Port 80 as virtual Server under WAF.
So As I think I cannot use Let's encrypt on the internatl servers to do the acme challenge as I cannot forward the http request to these servers.

 

Can you confirm my thoughts about the problems I could face.

 

Thanks

Carsten

Parents
  • Hey Carsten,

    I got the same problem like you, did you solve this? Right now we generate the LE certs on the webservers and upload them to the WAF. We also access our internal servers directly with the plublic dns pointing to the internal IP.

    Would be nice to generate the certs on the SG an then download them to the webservers.

    What did you end up doing?

  • all4it said:

    ...

    What did you end up doing?

     
    Well as  told me that Port 80 will only used for a short amount of time during the challenge check I'm using different certificates on my webservers and on my UTM.
     
    On the webservers the certificates are generated through some automation scripts I found throughout the internet.
    As I'm using WAF for all my servers behind my sophos there is a site-path route on port 80 for the acme challenge to the servers.
    My UTM creates the certificates for the WAF virtual servers native, configured over WebAdmin.
     
    In my opinion there seems to be no problem, as all servers use https and http is only used for acme challenge.
    As the local Web Server certificates are asyncron genereated to the UTM there should not be any overlapping in renewing.
  • Carsten Schild said:
    In my opinion there seems to be no problem, as all servers use https and http is only used for acme challenge.
    As the local Web Server certificates are asyncron genereated to the UTM there should not be any overlapping in renewing.
     

     

    Wellll..... Hi Carsten... this was a very helpful and interesting hint you gave us here! Seriously, I almost couldn’t sleep at night because I wanted to find a solution for that problem. This is by far the easiest way to handle that problem. Probably to easy for us! So I checked with Letsencrypts (https://letsencrypt.org/docs/rate-limits/) and indeed it is no problem to "asynchronous" register certificates with the same name. I would have thought they would revoke the old one but they don’t. So we are testing this right now, also with a Port 80 Site path Routing like you do!

     

    Thanks again, very helpfull!!!

Reply
  • Carsten Schild said:
    In my opinion there seems to be no problem, as all servers use https and http is only used for acme challenge.
    As the local Web Server certificates are asyncron genereated to the UTM there should not be any overlapping in renewing.
     

     

    Wellll..... Hi Carsten... this was a very helpful and interesting hint you gave us here! Seriously, I almost couldn’t sleep at night because I wanted to find a solution for that problem. This is by far the easiest way to handle that problem. Probably to easy for us! So I checked with Letsencrypts (https://letsencrypt.org/docs/rate-limits/) and indeed it is no problem to "asynchronous" register certificates with the same name. I would have thought they would revoke the old one but they don’t. So we are testing this right now, also with a Port 80 Site path Routing like you do!

     

    Thanks again, very helpfull!!!

Children
No Data