Guest User!

You are not Sophos Staff.

Thread Info
  • Replies 120 replies
  • Subscribers 56 subscribers
  • Views 94039 views
  • Users 0 members are here
Options
Suggested

[LetsEncrypt] How To in Sophos Firewall

LuCar Toni

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.

Hi Guys,

This Recommended Read goes over different options to obtain a Let's Encrypt certificate.

Overview

UTM has a LE Support for WAF (since UTM9.6). But on Sophos you can use LE certificates as well! Seems like many people does not know, you simply need a little Linux server and 5-10 minutes of your time each 3 month. Or you automate this. 

First of all, i want to share the "how it works" page of LE. https://letsencrypt.org/how-it-works/

My Setup. 

Internet - Sophos - Ubuntu 20.04 LTS
Ubuntu has "certbot" installed. Feel free to use other LE modules.
https://certbot.eff.org/ https://certbot.eff.org/lets-encrypt/ubuntubionic-apache
Follow straight the Guide for your OS. I am relying fully on those apps for the renewal process.  

Next step is, I am choosing the HTTP-01 method for LE, so i need a DNAT for LE to my Ubuntu.

(V18). 

PS: I am using HTTP DNAT for the renewal process and deactivate those Rules after the process. But you can also use only the LE IPs: 
https://community.letsencrypt.org/t/can-i-get-list-ip-from-letsencrypt/57117
PS2: You could switch to the DNS validation like explained in this Community thread.  

Next steps would be to check your Domain. Your DNS A-Record should point to your WAN IP. Otherwise this process will not work. 
So perform a dig / nslookup of your domain. It should point to your WAN IP, so your DNAT will work and HTTP packets are forwarded to Certbot. 
You can also use the Sophos free DDNS service. https://community.sophos.com/kb/en-us/123126 

Certbot

Lets start certbot and try it. 
My renewal process is straight forward:


(Be careful: LE blocks you after couple of "failed" request for some time. So check everything!).
In the End you will get 4 files on your Linux: Public, Chain, Fullchain, Privatkey Certificates. 

Upload to Sophos Firewall

You will use this Public and Privatkey certificate. 
There are couple of approaches to upload this to Sophos . 

The first LE Cert can be simply uploaded. 
You should use the Public.pem in "Certificate" and the Privatkey in "Privat key". 
PS: you have to rename the Privatkey.pem to Privatkey.key, otherwise Sophos will not take this certificate. 

 

Optionally you can upload the other Chain and fullchain Certificate under Certificate Authorities (Without Privat key). 
Now you can use this Certificate for WAF/Webadmin. 

In case of renewal (each 90 Days), you have to choose a process.

Automation 


You can simply upload the new LE certificate with another Name and replace it in WAF/Webadmin. 
Or you can "update" the current LE certificate with new public.pem / privat.key. But for this method, you have to switch to a fallback certificate in WAF/Webadmin, because Sophos cannot update a certificate, which is currently in use.  

After all, those steps are manual process each 90 Days. 
You can "script" this, if you want to. So basically upload the certificate each 90 Days to Sophos . 
https://community.sophos.com/kb/en-us/132560
Other member in the community performed already scripts for this.
https://community.sophos.com/products/Sophos -firewall/f/sophos-Sophos -firewall-general-discussion/102208/upload-certificate-using-api
https://community.sophos.com/Sophos -firewall/f/discussions/126295/automatically-renew-let-s-encrypt-ssl-certificates-on-Sophos -using-powershell
https://github.com/mmccarn/sophos
https://community.sophos.com/sophos-Sophos -firewall/f/discussions/129768/letsencrypt-api-update-script---dynamically-handles-multiple-certs-multiple-rules-including-re-grouping-of-policies-rules
https://community.sophos.com/sophos-Sophos -firewall/f/discussions/134534/sophos-Sophos -api-lets-encrypt-powershell-7-waf-update
https://community.sophos.com/sophos-Sophos -firewall/f/discussions/138668/upload-certificates-using-powershell-to-automate-let-s-encrypt

If you want to script this, this community can help you in case you are struggling with a point! 
So simply open a new thread with your issue with the API, we will try to find a solution. 

Sophos Factory

Sophos Factory brings a new Tool to automate Script based approaches. This means, you can easily run a Script like Certbot or Lego in a Sophos Factory environment to generate the certificate and upload it to the Sophos Firewall. 

Sophos Factory offers a free Community Edition. https://community.sophos.com/sophos-factory/ https://community.sophos.com/sophos-factory/b/release-notes-news/posts/get-started-here-sophos-factory-offer-automation-for-all-with-its-free-community-edition

Within Sophos Factory it could look like this:

Each step is one scripting component. By Using tools like Lego and Github, the "Pipeline" will run one time, generate the certificate and upload it to the Firewall. 

Contribution:


  https://zerossl.com/free-ssl/#crt Free alternative to this approach
For the Github script. 
 Thanks for the PHP Script! 
 for a Powershell Script with WAF integration. 
 for another version of a Powershell Script. 



Updated Disclaimer
[edited by: Erick Jan at 9:16 AM (GMT -7) on 17 Apr 2023]
Parents Reply
  • in reply to Björn Bendix

    What about a platform to do automation entirely? 

    See: Sophos Factory. 

    Sophos has this feature in the backlog for future implementation. The Implementation could differ from the other products. While UTM did a HTTP only approach, SFOS could go the direction to do it via DNS. ACME/LetsEncrypt supports a Certificate renewal process by a third party. That is the approach, which looks way better.

    For example: You simply point your DNS to Central. Central will renewal your Certificate and push it to the firewall. That is the better approach, as it will give you a Wildcard Certificate, you will get the certificate all the time, without having a Webserver running on the firewall etc. This would mean, no ties to Webserver Protection Subscription as well. 

    __________________________________________________________________________________________________________________

Children
  • in reply to LuCar Toni

    Nope, its not easy to have this Sophos connected to the DNS Service. Lets see whats coming. But at the moement from the customer view, im not happy with sophos any more. Lets see what is going on, and in the meantime im looking for other solutions on the market ;)

  • in reply to LuCar Toni

    DNS Options are much more secure than the web Option.

    Just have an acme DNS entry pointing to Central and handle the Setup there seems to be nice. But please not only wildcards. Keep in mind customer might have diffrent Lets Encrypt DNS solutions. And pointing to Central might not be possible.

  • in reply to Björn Bendix

    Sophos will not connect to DNS. You will simply point one DNS Record to the DNS Services of Sophos. This means by using CNAME. It is one ACME CNAME you will maintain one time, which is sufficient to do this. 

    __________________________________________________________________________________________________________________

  • in reply to Björn Bendix

    I cannot give a date. Until then, you could look at Sophos Factory if you want to expand your business anyway to Automation. 

    __________________________________________________________________________________________________________________

  • in reply to LuCar Toni

    Yes I know, I am doing this. But when you point the wildcard acme to Central, I am not able to use it for other acme setups.

    Even when pointing a server1.cutomer.de acme to Central I am not able to use it for ther internal acme stuff.

    With this approach, I must be able to use the central DNSAPI, too.

    Customer example: acme CNAME in main domain to a DNSAPI domain. Acme scipt write only data to DNSAPI domain.

  • in reply to Sven OlafSchuran

    You can overwrite the CNAME with a own txt record all the time, if you want. This means, you are still in control of your domain, if you want to generate additional ACME Certificates. Simply remove the CNAME and update your own DNS txt record and generate your scripts. DNS will always be used for the entire domain. 

    I highly doubt, Sophos will implement a Certificate store for you. Which means, the firewall is not your central certificate store to renewal and upload to other products. 

    That should be (especially from a automation and security perspective) a automation tool in a docker container. Like Sophos Factory. 

    Take a look at this tool, it can actually do exactly this. It will store the data only in processing, upload it to your desired places / machines etc. 

    __________________________________________________________________________________________________________________

  • in reply to LuCar Toni

    Hi,

    main problem, DNS API tokens are often to agressive, they allow to much.

    What we do, we add a constant cname to a diffrent domain, and change DNS entries trough api in this domain.

    When api token is compromised, changes in main dns zone are not possible.

    Sven

Unfiltered HTML