Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

SMA 210 and Let's Encrypt issue

Wondering if there is a KB that details the Let's Encrypt process? The only info I see is in the firmware release notes.

When I try to generate an SSL cert from Let's Encrypt, I get a failed to generate message. In the acme.sh.log file, I see it trying to connect but the verification from Let's Encrypt fails. I see the following line:

"[Fri Jun 12 08:47:40 EDT 2020] myexternalwebsite:Verify error:Fetching http://myexternalwebsite:/.well-known/acme-challenge/LongKey. -Timeout during connect (likely firewall problem)"

Current SMA 210 with newest firmware in LAN mode.

I have a TZ500 with newest firmware and use the Public Server wizard to create access to the SMA210 (for port 443 only). Public DNS point

I have multiple portals that use virtual hosts.

Portal A has xxx.xxx.xxx.67 that NATs to 192.xxx.xxx.11

Portal B has xxx.xxx.xxx.69 that NATs to 192.xxx.xxx.12

I added HTTP to my SSL-VPN services in the TZ500 rules but I still get the error.

Anyone have any clues?

Category: Secure Mobile Access Appliances
Reply

Best Answer

Answers

  • BrianMBrianM Newbie ✭

    Thank you for the reply. I found those same documents and figured I would try here before contacting support.

    I will do a little more poking around and if I cannot find anything, I will create a new case.

    Thanks again.

  • Sure, Brian. Let us know how it goes. I am also curious to know what is the root cause of this issue. 😄

    Shipra Sahu

    Technical Support Advisor, Premier Services

  • Vijay Kumar KV

    Enterprise Tech Support Consultant | SME

  • Validity is 90days

    it should renew it and I think we have auto renew as well. this supports from 10.2.x onwards

    Vijay Kumar KV

    Enterprise Tech Support Consultant | SME

  • we added new information's in 10.2 admin Guide

    Vijay Kumar KV

    Enterprise Tech Support Consultant | SME

  • BrianMBrianM Newbie ✭

    Vijay,

    Do you have a link to the 10.2 Admin guide? I only found the SMA 10.2 Feature and Upgrade docs. I only see the 10.0 Admin guide (I searched "Let's Encrypt") but nothing was found on Let's Encrypt.

  • @BrianM,

    I could find a section called 'Generating Certificates Using Let's Encrypt' in the 10.2 feature guide. I think that should have answers you are looking for.

    Thanks!

    Shipra Sahu

    Technical Support Advisor, Premier Services

  • SimonSimon Moderator

    @BrianM The 10.2.0.0 Admin Guide is under internal review. We are working to get it posted as soon as possible.

  • BrianMBrianM Newbie ✭

    @Simon

    Thank you very much. If you could give a little more technical details of the Let's Encrypt process , that would be great.

    Like I mentioned in my original post, I have mine setup in LAN mode and in DMZ mode. I do allow 443 and 80 from my TZ500 to my SMA210 through but the log tells me that it might be a firewall issue.

  • SimonSimon Moderator

    @BrianM the key thing is that the FQDN resolves correctly in the public DNS. When LetsEncrypt tries to validate that you own the domain, the Virtual Host entry for the Portal matches exactly the certificate request to LetsEncrypt. They have to see the correct response from the domain in the certificate signing request on port 80. e.g. vpn.example.com:80 as resolved to an IP address in the public DNS.

  • NatNat Newbie

    @BrianM You must have public DNS record to prove you are the owner of that domain.

    You should have at least one portal virtual host domain name that match the public DNS record. Then use that portal to submit the certificate request.

    It won't work if your FQDN doesn't match or cannot resolve by public.


  • BrianMBrianM Newbie ✭

    If I ping ssl.mydomainname.com it does resolve to the correct Public IP. This domain name has it own IP.

    Inside the SMA, Portals -> ssl.mydomain.com -> Virtual Host tab is the Internal IP address(192.168.XXX.12). My firewall NATs Public IP (HTTP,HTTPS) to Internal IP.

    Does the external IP need to be on the Virtual Host tab?

  • SimonSimon Moderator

    The FQDN needs to be in the Virtual Hosts tab. that same one that connects to the SMA from the public network.

  • BrianMBrianM Newbie ✭

    My bad. I was not clear enough.

    Virtual Host Domain Name = ssl.mydomain.com

    Virtual Host IP Address = 192.168.xxx.12 (Internal) - Should this be the external address?

    Firewall allows HTTP/HTTPS and NAT's from 166.xxx.xxx.69 (ssl.mydomain.com resolves to this address fine) to 192.168.xxx.12

  • SimonSimon Moderator

    The Virtual Host IP Address field need not be filled out on the Portals / Portals / Edit Portal / Virtual Host tab. This is typically left blank.

    The Virtual Host IP Address field is only used if you selected a Virtual Host Interface. If your SMA is installed as recommended there is only one active interface (X0), so this is not typically used.

    If it were used, it would be the IP address the portal is accessed on - from the point of view of the SMA, not the internet.

    My rule of thumb ... Don't add complexity where it is not needed.

  • BrianMBrianM Newbie ✭

    I believe it was setup like this because I have 3 portals but this specific portal has a different domain name than the first two portals and it requires its own Virtual Host certificate. So on the Virtual Host tab, I had to choose X0 Interface, enter IP address and that allowed me to select a separate Virtual Host Cert. This was setup many years ago.

Sign In or Register to comment.