SMA 210 and Let's Encrypt issue
Wondering if there is a KB that details the Let's Encrypt process? The only info I see is in the firmware release notes.
When I try to generate an SSL cert from Let's Encrypt, I get a failed to generate message. In the acme.sh.log file, I see it trying to connect but the verification from Let's Encrypt fails. I see the following line:
"[Fri Jun 12 08:47:40 EDT 2020] myexternalwebsite:Verify error:Fetching http://myexternalwebsite:/.well-known/acme-challenge/LongKey. -Timeout during connect (likely firewall problem)"
Current SMA 210 with newest firmware in LAN mode.
I have a TZ500 with newest firmware and use the Public Server wizard to create access to the SMA210 (for port 443 only). Public DNS point
I have multiple portals that use virtual hosts.
Portal A has xxx.xxx.xxx.67 that NATs to 192.xxx.xxx.11
Portal B has xxx.xxx.xxx.69 that NATs to 192.xxx.xxx.12
I added HTTP to my SSL-VPN services in the TZ500 rules but I still get the error.
Anyone have any clues?
Best Answer
-
shiprasahu93 Moderator
Hello @BrianM,
Unfortunately, I could not find any SonicWall KBs, but these links should be helpful.
The following is a link to information on Let’s Encrypt and how it works for your review.
Let’s Encrypt and SonicWall:
As per your description it looks like all the necessary configuration is in place.
We might need to perform a packet capture on TZ 500 to investigate further. It would be best to reach out to support for in-depth investigation.
Thanks!
Shipra Sahu
Technical Support Advisor, Premier Services
5
Answers
Thank you for the reply. I found those same documents and figured I would try here before contacting support.
I will do a little more poking around and if I cannot find anything, I will create a new case.
Thanks again.
Sure, Brian. Let us know how it goes. I am also curious to know what is the root cause of this issue. 😄
Shipra Sahu
Technical Support Advisor, Premier Services
Vijay Kumar KV
Enterprise Tech Support Consultant | SME
Validity is 90days
it should renew it and I think we have auto renew as well. this supports from 10.2.x onwards
Vijay Kumar KV
Enterprise Tech Support Consultant | SME
we added new information's in 10.2 admin Guide
Vijay Kumar KV
Enterprise Tech Support Consultant | SME
Vijay,
Do you have a link to the 10.2 Admin guide? I only found the SMA 10.2 Feature and Upgrade docs. I only see the 10.0 Admin guide (I searched "Let's Encrypt") but nothing was found on Let's Encrypt.
@BrianM,
I could find a section called 'Generating Certificates Using Let's Encrypt' in the 10.2 feature guide. I think that should have answers you are looking for.
Thanks!
Shipra Sahu
Technical Support Advisor, Premier Services
@BrianM The 10.2.0.0 Admin Guide is under internal review. We are working to get it posted as soon as possible.
@Simon
Thank you very much. If you could give a little more technical details of the Let's Encrypt process , that would be great.
Like I mentioned in my original post, I have mine setup in LAN mode and in DMZ mode. I do allow 443 and 80 from my TZ500 to my SMA210 through but the log tells me that it might be a firewall issue.
@BrianM the key thing is that the FQDN resolves correctly in the public DNS. When LetsEncrypt tries to validate that you own the domain, the Virtual Host entry for the Portal matches exactly the certificate request to LetsEncrypt. They have to see the correct response from the domain in the certificate signing request on port 80. e.g. vpn.example.com:80 as resolved to an IP address in the public DNS.
@BrianM You must have public DNS record to prove you are the owner of that domain.
You should have at least one portal virtual host domain name that match the public DNS record. Then use that portal to submit the certificate request.
It won't work if your FQDN doesn't match or cannot resolve by public.
If I ping ssl.mydomainname.com it does resolve to the correct Public IP. This domain name has it own IP.
Inside the SMA, Portals -> ssl.mydomain.com -> Virtual Host tab is the Internal IP address(192.168.XXX.12). My firewall NATs Public IP (HTTP,HTTPS) to Internal IP.
Does the external IP need to be on the Virtual Host tab?
The FQDN needs to be in the Virtual Hosts tab. that same one that connects to the SMA from the public network.
My bad. I was not clear enough.
Virtual Host Domain Name = ssl.mydomain.com
Virtual Host IP Address = 192.168.xxx.12 (Internal) - Should this be the external address?
Firewall allows HTTP/HTTPS and NAT's from 166.xxx.xxx.69 (ssl.mydomain.com resolves to this address fine) to 192.168.xxx.12
The Virtual Host IP Address field need not be filled out on the Portals / Portals / Edit Portal / Virtual Host tab. This is typically left blank.
The Virtual Host IP Address field is only used if you selected a Virtual Host Interface. If your SMA is installed as recommended there is only one active interface (X0), so this is not typically used.
If it were used, it would be the IP address the portal is accessed on - from the point of view of the SMA, not the internet.
My rule of thumb ... Don't add complexity where it is not needed.
I believe it was setup like this because I have 3 portals but this specific portal has a different domain name than the first two portals and it requires its own Virtual Host certificate. So on the Virtual Host tab, I had to choose X0 Interface, enter IP address and that allowed me to select a separate Virtual Host Cert. This was setup many years ago.