Today I stumbled across an interesting workaround for the Sophos UTM and Let's Encrypt certificates:
https://github.com/rklomp/sophos-utm-letsencrypt
René has taken the trouble to create a script that can automatically renew Let's Encrypt certificates on the Sophos UTM.
The implementation is relatively simple and worked right away in my test environment. As the Let's Encrypt CA needs to access the web server to perform the domain validation, the check file must be copied to the web server behind the WAF. I tested this successfully using FTP.
Note: This is a workaround that is not officially supported by Sophos, currently Sophos UTM does not provide direct support for the ACME client. For test environments, however, it is still a good way to obtain valid certificates.
According to my information, direct support for Let's Encrypt and Sophos UTM is planned for one of the next versions. Until then, you will probably have to be patient.
It certainly can't hurt if a few more votes are added to the feature request: