Let's Encrypt to secure UTM admin interface about sophos-utm-letsencrypt HOT 8 CLOSED

https://community.sophos.com/kb/en-us/132940
it's now a supported feature

from sophos-utm-letsencrypt.

I was able to get it working by creating /var/sec/chroot-httpd/etc/httpd/vhost/httpd-cert.conf with the following:
Listen *:80
<VirtualHost *:80>
DocumentRoot /var/www
SSLEngine off

    <Location />
        Order Deny,Allow
        Deny from All
        Allow from 0.0.0.0/0
    </Location>

from sophos-utm-letsencrypt.

I just had a major scare! I tried following the steps above, to create the challenge site, but I must've done something wrong, because the moment I restarted the UTM, I lost access to all portals, and I lost all external connectivity to the outside world. Luckily, I still had SSH access.

I also got really lucky that deleting the /var/sec/chroot-httpd/var/www tree and /var/sec/chroot-httpd/etc/httpd/vhost/httpd-cert.conf file allowed everything to start normally! I thought I was going to be in for a long night, restoring the UTM.

@mattohm, what version of the UTM are you running? You're saying that you are able to successfully get a Let's Encrypt cert for your UTM portal(s)? Would you mind sharing all necessary httpd-cert.conf entries and associated firewall rule(s)?

I don't care too much about getting an LE cert for the webadmin portal, but I would really like to get one for the user portal. I'm running UTM 9.503-4.

Best regards...

from sophos-utm-letsencrypt.

I'm currently at 9.503-4 but I've been running like this for well over a year. You can reload the httpd with "/etc/rc.d/httpd restart" instead of rebooting.
The firewall rule I have is any > http > external address
Make sure that none of your portals/web servers are running on port 80.
My entire httpd-cert.conf:

Listen *:80
<VirtualHost *:80>
DocumentRoot /var/www
SSLEngine off
DirectoryIndex index.html

Order Deny,Allow
Deny from All
Allow from 0.0.0.0/0

from sophos-utm-letsencrypt.

Better yet, start it using:
chroot /var/sec/chroot-httpd /bin/httpd -f /etc/httpd/httpd.conf -e debug -k restart
to show startup errors.

from sophos-utm-letsencrypt.

need to make sure you close the virtualhost tag or httpd will fail to start:
Listen *:80
<VirtualHost *:80>
DocumentRoot /var/www
SSLEngine off
DirectoryIndex index.html

Order Deny,Allow
Deny from All
Allow from 0.0.0.0/0
</VirtualHost>

from sophos-utm-letsencrypt.

Hi guys,

The fix outlined in this thread totally works except in one respect. It breaks http to https redirects with web-server protection, because port 80 is configured in the httpd-cent.conf. The https only option works without a problem. However, I would really like there to be a port 80 to port 443 redirect in place. Is there a way to fix this?

If not I think I need write a bash script with the following logic and place it in /etc/crontab-static

1. Create the /var/sec/chroot-httpd/etc/httpd/vhost/httpd-cert.conf with the following contents

Listen *:80
<VirtualHost *:80>
DocumentRoot /var/www
SSLEngine off
DirectoryIndex index.html

Order Deny,Allow
Deny from All
Allow from 0.0.0.0/0
</VirtualHost>

2. Restart httpd
3. Updates my lets-encrypt certs
4. Remove /var/sec/chroot-httpd/etc/httpd/vhost/httpd-cert.conf
5. Restart httpd

Thanks!

from sophos-utm-letsencrypt.

I did not know that! Thanks

Update: The 9.6 update is still only available via FTP. I'm a bit nervous to update until it shows up in the up2date section of the UTM based on the comments here.

https://community.sophos.com/products/unified-threat-management/b/utm-blog/posts/utm-up2date-9-600-released

from sophos-utm-letsencrypt.