Guest User!

You are not Sophos Staff.

Thread Info
  • Replies 120 replies
  • Subscribers 56 subscribers
  • Views 94009 views
  • Users 0 members are here
Options
Suggested

[LetsEncrypt] How To in Sophos Firewall

LuCar Toni

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.

Hi Guys,

This Recommended Read goes over different options to obtain a Let's Encrypt certificate.

Overview

UTM has a LE Support for WAF (since UTM9.6). But on Sophos you can use LE certificates as well! Seems like many people does not know, you simply need a little Linux server and 5-10 minutes of your time each 3 month. Or you automate this. 

First of all, i want to share the "how it works" page of LE. https://letsencrypt.org/how-it-works/

My Setup. 

Internet - Sophos - Ubuntu 20.04 LTS
Ubuntu has "certbot" installed. Feel free to use other LE modules.
https://certbot.eff.org/ https://certbot.eff.org/lets-encrypt/ubuntubionic-apache
Follow straight the Guide for your OS. I am relying fully on those apps for the renewal process.  

Next step is, I am choosing the HTTP-01 method for LE, so i need a DNAT for LE to my Ubuntu.

(V18). 

PS: I am using HTTP DNAT for the renewal process and deactivate those Rules after the process. But you can also use only the LE IPs: 
https://community.letsencrypt.org/t/can-i-get-list-ip-from-letsencrypt/57117
PS2: You could switch to the DNS validation like explained in this Community thread.  

Next steps would be to check your Domain. Your DNS A-Record should point to your WAN IP. Otherwise this process will not work. 
So perform a dig / nslookup of your domain. It should point to your WAN IP, so your DNAT will work and HTTP packets are forwarded to Certbot. 
You can also use the Sophos free DDNS service. https://community.sophos.com/kb/en-us/123126 

Certbot

Lets start certbot and try it. 
My renewal process is straight forward:


(Be careful: LE blocks you after couple of "failed" request for some time. So check everything!).
In the End you will get 4 files on your Linux: Public, Chain, Fullchain, Privatkey Certificates. 

Upload to Sophos Firewall

You will use this Public and Privatkey certificate. 
There are couple of approaches to upload this to Sophos . 

The first LE Cert can be simply uploaded. 
You should use the Public.pem in "Certificate" and the Privatkey in "Privat key". 
PS: you have to rename the Privatkey.pem to Privatkey.key, otherwise Sophos will not take this certificate. 

 

Optionally you can upload the other Chain and fullchain Certificate under Certificate Authorities (Without Privat key). 
Now you can use this Certificate for WAF/Webadmin. 

In case of renewal (each 90 Days), you have to choose a process.

Automation 


You can simply upload the new LE certificate with another Name and replace it in WAF/Webadmin. 
Or you can "update" the current LE certificate with new public.pem / privat.key. But for this method, you have to switch to a fallback certificate in WAF/Webadmin, because Sophos cannot update a certificate, which is currently in use.  

After all, those steps are manual process each 90 Days. 
You can "script" this, if you want to. So basically upload the certificate each 90 Days to Sophos . 
https://community.sophos.com/kb/en-us/132560
Other member in the community performed already scripts for this.
https://community.sophos.com/products/Sophos -firewall/f/sophos-Sophos -firewall-general-discussion/102208/upload-certificate-using-api
https://community.sophos.com/Sophos -firewall/f/discussions/126295/automatically-renew-let-s-encrypt-ssl-certificates-on-Sophos -using-powershell
https://github.com/mmccarn/sophos
https://community.sophos.com/sophos-Sophos -firewall/f/discussions/129768/letsencrypt-api-update-script---dynamically-handles-multiple-certs-multiple-rules-including-re-grouping-of-policies-rules
https://community.sophos.com/sophos-Sophos -firewall/f/discussions/134534/sophos-Sophos -api-lets-encrypt-powershell-7-waf-update
https://community.sophos.com/sophos-Sophos -firewall/f/discussions/138668/upload-certificates-using-powershell-to-automate-let-s-encrypt

If you want to script this, this community can help you in case you are struggling with a point! 
So simply open a new thread with your issue with the API, we will try to find a solution. 

Sophos Factory

Sophos Factory brings a new Tool to automate Script based approaches. This means, you can easily run a Script like Certbot or Lego in a Sophos Factory environment to generate the certificate and upload it to the Sophos Firewall. 

Sophos Factory offers a free Community Edition. https://community.sophos.com/sophos-factory/ https://community.sophos.com/sophos-factory/b/release-notes-news/posts/get-started-here-sophos-factory-offer-automation-for-all-with-its-free-community-edition

Within Sophos Factory it could look like this:

Each step is one scripting component. By Using tools like Lego and Github, the "Pipeline" will run one time, generate the certificate and upload it to the Firewall. 

Contribution:


  https://zerossl.com/free-ssl/#crt Free alternative to this approach
For the Github script. 
 Thanks for the PHP Script! 
 for a Powershell Script with WAF integration. 
 for another version of a Powershell Script. 



Updated Disclaimer
[edited by: Erick Jan at 9:16 AM (GMT -7) on 17 Apr 2023]
Parents

  • Added Sophos Factory to this Thread. 

    __________________________________________________________________________________________________________________

  • in reply to LuCar Toni

    This Feature was one of the top ranked Requests in Ideas (rip).

    On every corner in the Forums people ask for it.

    The feature was promised the same time it was for UTM. UTM has it for years now - and XG it is still "on the Roadmap" with no sign of anybody even touching it.

    Just another Feature, the "next gen" does not have - and likely will not get any time soon. 

    Sophos' communication on development and feature implementation in xg is getting to a point where it is embarrassing at best - fraudulent at worst.

  • in reply to LuCar Toni

    Because having to use an external tool is at least one more step as it was with the UTM, where it - apart from accepting new EULAs recently - never made any problems at all.

    For me it is not a critical feature at all, but I can understand everyone that is frustrated that it is still not implemented after years of requesting it. The XG/XGS/Sophos Firewall system is evolving, many things have gotten easier (and some harder) to use. But sometimes it still feels like taking part in a beta program rather than having the "state of the art" product.

    It can't be this hard to implement a silly simple feature like LetsEncrypt the way it was in the good old UTM. Click a checkbox, enter a FQDN and select an interface. "Save and forget about it".

    Regards,

    Kevin

    Sophos CE/CA (XG, UTM, Central Endpoint)
    Gold Partner

  • in reply to kerobra

    this - and the usual "will be implemented by next version" answer by Sophos.

    And Factory is a fun toy - if you have a few connected instances.
    but GL implementing and managing 300 Customers with independent Firewalls.

    For me it is not a critical feature. But as we have multiple customers with at least 100 WAF instances using LE-Certs - on over 30 Firewalls, and the current state of missing features in XG's WAF - all those will not migrate to XG, as this would mean to have a separate reverse proxy appliance/vm to replicate what UTM can do

  • in reply to Dominik Klaer

    Factory is actually a tool to scale up to enterprise customers. It is a tool to work with thousand of customers at once. Did you try out the way factory work? Because you can build a pipeline and use per customer own creds and reuse the pipeline 300 times - No worries. So it would be possible to do this 300 times and much more. I am seeing factory as the new way of intergrating and working as a partner and every partner should invest time into this way of working compared to "the old fashion way". 

    LE is not be part of the near future roadmap. There is no commitment to do it in the next version by any means. Customers are looking into buying a cheap wildcard cert and use it in the mean time. I would not see WAF certificate management as a blocker for doing a migration for any reason. This is something, which we can easily solve by two ways: Use a tool like factory (customer or partner) or purchase a certificate. This cannot be a blocker for migration - and if it is a blocker, feel free to contact your Sophos sales Rep to discuss the option there. (Maybe a virtual UTM for WAF for example). 

    __________________________________________________________________________________________________________________

  • in reply to LuCar Toni

    Thx for saying that Sophos is not listing to there customers. We have 30 Rules on the WAF. Changing the Certificate is a pain. LE would be really great. No, we dont want another system running we have to take care ...

  • in reply to LuCar Toni

    At the end of the day, it's just ridiculous that Sophos refuses to add such a simple feature. And your suggestion is to run a virtual UTM? Come on. Most of your competition supports LE and has for awhile. Wildcard certs are not cheap and that is just something else for end users to worry about, when the simple solution is to add the feature.

  • in reply to MichaelBolton

    That is not my point. LE is on the backlog but other features are more pressuring to be implemented compared to LE, which is easily replacable.

    BTW: You can easily change it with XML Import/export.

    And as you can see, LE alone would not work - You need a change in the entire certificate management of SFOS ( core ), which means, it needs to replace the certificate completely transparent in all modules. 

    The next question is: Are we going to do the old HTTP integration, which is likely unsecure compared to DNS. So the way to integrate this future proof would be to do the DNS Challenge. DNS Challenge means, you would have to host a own DNS server or support a DNS Service with API hooks. This is the next challenge. 

    Just to give you an overview of the decision making. 

    __________________________________________________________________________________________________________________

  • in reply to LuCar Toni

    No, its not easy to do with XML. If you do it regular possible, but not for the normal customer ...

  • in reply to Björn Bendix

    See: https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/123684/interface-vlan-migration-via-xml-import-export It is the same for WAF. I can create a Recommended Read for this, if needed. But you can do this in 1 minute, if you want. 

    __________________________________________________________________________________________________________________

  • in reply to LuCar Toni
    LuCar Toni said:
    So the way to integrate this future proof would be to do the DNS Challenge. DNS Challenge means, you would have to host a own DNS server or support a DNS Service with API hooks. This is the next challenge. 

    Where did you got this information from?

    As long as your domain registrar have a API to manage subdomains records, It will work as expected with the correct certbot plugin. (Which means all top registrars including Cloudflare are able to do this.)

    Example: certbot-dns-cloudflare.readthedocs.io/.../

    If a post solves your question use the 'Verify Answer' button.

    XG 115w Rev.3 8GB RAM v19.5 MR1 @ Home.

  • in reply to Prism

    You can do both. But the problem is: Most DNS Provider does not offer a API. The big one does, but there are plenty of DNS Providers (especially the smaller) without a API. So using DNS Verification will not work for those customers. What is the alternative? Using HTTP or do a DNS Server implementation: See: https://github.com/joohoi/acme-dns

    __________________________________________________________________________________________________________________

Reply Children
Unfiltered HTML