SD-WAN

 View Only
last person joined: 18 days ago 

Ask questions and share experiences with SD-WAN and Session Smart Router (formerly 128T).
  • 1.  Let's Encrypt for Conductor

    Posted 07-26-2022 10:31
    Hello,

    I'm trying to add Let's Encrypt Cert to Conductor. In the past I used following instruction
    However, it doesn't work anymore.

    Domain: sd-wan.example.com
    Type: connection
    Detail: X.X.X.X: Fetching
    http://sd-wan.example.com/.well-known/acme-challenge/hTNQ6-GWStVoChteaQvl6_pHOS8MsavxkhK6Ad_TcJA:
    Timeout during connect (likely firewall problem)

    Any idea on how to get it to work?

    Thanks!
    -Greg

    ------------------------------
    Greg
    ------------------------------


  • 2.  RE: Let's Encrypt for Conductor

     
    Posted 08-03-2022 05:22

    Hi Greg,

    indeed - it really sounds like a firewall issue.

    Two questions:

    1. Is this conductor a bare metal or virtual/cloud instance?
    2. Could you please check (at the linux cli) if there is a rule that allows incoming traffic to port 80? (sudo iptables -nvL | grep dpt:80)

    The iptables output should bring up something like this:

    $ ​sudo iptables -nvL | grep dpt:80
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 ctstate NEW,UNTRACKED


    Thanks,
    Mathias



    ------------------------------
    Mathias Jeschke
    Juniper Networks
    ------------------------------



  • 3.  RE: Let's Encrypt for Conductor

    Posted 08-15-2022 15:27
    Hi Mathias,

    1. Conductor is a VM in our own environment.
    2. Port 80 is open and I even tried to disable firewall. Still no go.
     1 52 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 ctstate NEW,UNTRACKED

    ------------------------------
    GREG WROBEL
    ------------------------------



  • 4.  RE: Let's Encrypt for Conductor

     
    Posted 08-16-2022 06:23

    Hi Greg,

    To me it looks like you have another firewall in front of your Conductor or there is a routing or DNS issue somewhere.

    One connection  to port 80 is too low for a successful letsencrypt run (on my lab system there have been 4 connections).

    You could try to run a tcpdump on your conductors wan interface (e.g. tcpdump -w le.pcap -nni eth0 port 80) for troubleshooting or run the certbot in foreground mode (ideally with --test-cert to avoid rate-limit issues).

    -Mathias



    ------------------------------
    Mathias Jeschke
    Juniper Networks
    ------------------------------