Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.
Table of Contents:
- Overview
- ZTNA Online Help
- Release Notes
- Recap of Let´s Encrypt
- How does it work in ZTNA?
- Notes and FAQ:
- Common issues and troubleshooting
- Related Information
Overview:
Sophos ZTNA requires a Wildcard certificate for the entire used domain: *.domain.com
To make a deployment for a customer very easy and remove the need to buy a wildcard certificate, Sophos ZTNA offers a simple way to generate and use a wildcard domain.
ZTNA Online Help
https://docs.sophos.com/central/ZTNA/startup/en-us/setup/GetCertificateLetsEncrypt/index.html
Release Notes
Recap of Let´s Encrypt
Let's Encrypt offers two different deployment modes: DNS and HTTP. https://letsencrypt.org/docs/challenge-types/
HTTP Mode is known from SFOS/UTM and offers a single domain.
DNS offers a wildcard domain for the entire domain. It will be used with a TXT Record on the used domain (_acme-challenge.customer.com).
How does it work in ZTNA?
Kindly read the LE documentation first: https://letsencrypt.org/how-it-works/
Sophos ZTNA utilizes the DNS Challenge - But we are using the CNAME principle: https://letsencrypt.org/docs/challenge-types/
A customer needs to perform one change in his DNS (create 1 CNAME) and this will work forever - Sophos will renew the certificate and replace it on ZTNA.
Overall: A customer needs to have access to the DNS Provider to create the CNAME.
Notes and FAQ:
Sophos ZTNA does not need access to the DNS Provider (API or anything).
Sophos ZTNA LE only needs one CNAME entry in DNS - Every DNS Provider is supported.
As we use _acme-challenge.customer.com - This TXT record is not "usable" for the customer anymore - Which means, technically it will block a Lego/certbot.
Sophos ZTNA LE will NOT interfere with the way SFOS / UTM did the generation - As a customer, you can have HTTP Challenges and DNS Challenges.
Sophos ZTNA LE certificates and private key can't be pulled from ZTNA and be used on other devices. If you need one specific domain, you can use the firewall to generate it (or HTTP Challenge). Technically, you can reuse the _acme-challenge after ZTNA renewal - But this is a technical challenge.
Common issues and troubleshooting:
Most issues were simply "TXT Records" instead of CNAMEs. The process is straightforward and easy to perform.
Related Information:
ZTNA LE Online Help: https://docs.sophos.com/central/ZTNA/startup/en-us/setup/GetCertificateLetsEncrypt/index.html
Let's Encrypt - How it works: https://letsencrypt.org/how-it-works/
Let's Encrypt - Challenge Types: https://letsencrypt.org/docs/challenge-types/
Title, Formatting, Grammar, Added TAGs
[edited by: Raphael Alganes at 1:43 PM (GMT -8) on 16 Jan 2025]