Installing Let's Encrypt when using sucuri firewall

Hi All this my first post,

I’m in a process of finishing development of our business website, our developer has recommended to use let’s Encrypt SSL, i was very happy to hear that the service is free of charge, thank you for all LE team for the hard work and keep it safe. but from here things got complicated, we are using sucuri firewall subscription service for protection against penetration and such. when the developer checked he found that sucuri already installed LE SSL for his service using our url without any notification.

i contacted our hosting and ask to install LE SSL and they said they can’t install as sucuri using it already. they ask if they "offer a free origin server SSL certificate to install on your cPanel hosting service"
securi reply
"For the SSL certificate there are a couple options that you can explore. Unfortunately we do not provide the private key for Let’s Encrypt but you could have your hosting provider install one for you on the site and our system could forward the validation to the server.

Another option is a self signing certificate which can also be done directly in the hosting account. Both of these options will allow us to forward the Certificate Validation to Hosting, validating your https:// on the hosting side."

As i don’t have much knowledge how SSL and firewall work i ask both the securi and hosting to explain, but it seems they ignoring my questions and making the decision for me. the hosting end up using the second option of self signing certificate. when i had a bit of a read about it, in general in most situations The Self Signed certificate isn’t valid/trusted globally.

This issue is bothering me as its a very important to make the right decision for the security of the users and site information.

my questions is someone can explain how does it work when using SSL with firewall? where should i install the CA on the hosting server or securi? what are the two options securi suggested? which on should i use or there is a different way to do it? what would you do in this situation?

Hope someone can help

Thank you,

You first need to understand the paid service provided to you by Sucuri.
Which might be cloud based (like CloudFlare CDN) or locally installed on your server.
In either case, they seem to be doing inline HTTPS inspection.
Which means they terminate the SSL the client connects to.
So they need to maintain that certificate.
Glad to hear that they use LE for such.

But back to your questions:

  1. Can someone explain how does it work when using SSL with firewall?
    That depends on what the firewall is doing with the SSL connections and where the firewall is located.
    If it is outside your system (in a cloud), then there is a portion of the client connection that is unencrypted (between your server and the Sucuri firewall). There are ways to address that but a self-signed cert is not ideal.

  2. Where should i install the CA on the hosting server or securi?
    A CA (Certificate Authority) should not be installed by a client - unless you are going to maintain a self-signing cert system (again, not ideal).
    Here you may have meant to ask: Where should I install the certificate, on the hosting server or Sucuri?
    If so, then I would say both should be secured (unless both are in the same physical box).

  3. What are the two options Sucuri suggested?
    A. You could have your hosting provider install one for you on the site and our system could forward the validation to the server.
    This sounds like what you would need; to generate the cert and ease the renewal process thereafter.
    B. A self signing certificate which can also be done directly in the hosting account.
    True, but again, not ideal.

  4. Which one should I use or is there a different way to do it?
    Without any additional information, I’d say those are basically the two ways to do it:
    A. Install LE cert on your hosting server (via forwarded Auth or via DNS Auth).
    B. Self-signed cert.

  5. What would you do in this situation?
    A. Get a picture of how things are connected and how service is being provided.
    B. Understand where things are encrypted and how.
    C. Understand where they are not, if any.
    D. Decide if any of those unencrypted/insecure areas need to be encrypted/secured.
    E. If needed, look for options that can meet those security needs.
    F. Choose an option and go forward from there.

Without even a picture, I can only guess.
And that would most likely not do you any justice.

Thank you @rg305 for taking the time and detail explanation, it’s a shame that securi didn’t bother explaining like you did in simple words.

Sorry for missing the picture information, Our website is hosted on the web hosting server using shared hosting service. for securi we using firewall service (DNS redirection) on their server, see link, https://sucuri.net/website-firewall/ all traffic going in, bad packets are filtered before coming to the host. the hosting at the moment setup self signing certificate and its active.
i just read this post http://www.winhelponline.com/blog/sucuri-serverpilot-letsencrypt-acme-domain-authorization-failed/
and it confirm what you said that if using “self signing certificate” on the web hosting server end the information between the hosting server and sucuri is not encrypted!

Reading both your explanation and winhelponline blog i conclude that at the moment if using self signing certificate on the web hosing end the information between the hosting server and sucuri is not encrypted. the answer is to ask our web hosting provider to install LE on our shared hosting server (disabling self signing certificate ) and enabling “Forward Certificate Validation” on sucuri end (which is already been done).

can you confirm the above that option one with two certificates installed on both end are the way to go?

Please let me know if you need more information

Thank you

It sounds like the best available option.

1 Like

a bit more theory on the setup you are trying to achieve

Andrei

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.