Guest User!

You are not Sophos Staff.

Thread Info
  • Replies 0 replies
  • Subscribers 26 subscribers
  • Views 1345 views
  • Users 0 members are here
Options
Suggested

Sophos Firewall: LetsEncrypt with Sophos Firewall and Sophos Factory

LuCar Toni

Disclaimer: Please contact Sophos Professional Services if you require assistance with your specific environment

Overview

Sophos Factory brings a new Tool to automate Script based approaches. This means, you can easily run a Script like Certbot or Lego in a Sophos Factory environment to generate the certificate and upload it to the Sophos Firewall. 

Sophos Factory offers a free Community Edition. https://community.sophos.com/sophos-factory/ https://community.sophos.com/sophos-factory/b/release-notes-news/posts/get-started-here-sophos-factory-offer-automation-for-all-with-its-free-community-edition

Within Sophos Factory it could look like this:

Use the Sophos Factory Community for any kind of Factory Related Questions:  Sophos Factory 

Lets dig deeper into this scenario: 

We are using Lego to Renewal the Certificate. Please refer to Lego for more information: https://go-acme.github.io/lego/dns/ Lego supports multiple DNS Provider. In this example, we are using DNS by AWS with the AWS Console Feature of Sophos Factory.

If your DNS Vendor is not supported: 
You can do this with a DNS Redirect Feature of Lego as well: https://letsencrypt.org/docs/challenge-types/  https://www.eff.org/deeplinks/2018/02/technical-deep-dive-securing-automation-acme-dns-challenge-validation This means, your ACME-Challenge will simply point to a supported Vendor of Lego. In my Example, i am using Route53 by AWS. 

Sophos Factory uses Pipelines to do a job. In this pipeline, we are doing everything from installing the needed tools to renewal the Wildcard LE Certificate to upload it to the firewall. 

Step1:Firewall Variable

Define the Variable of the Firewall. 

Step2:Lego Repository

Get the Needed repo of Lego (an alternative of Certbot). 

wget https://github.com/go-acme/lego/releases/download/v4.10.0/lego_v4.10.0_linux_386.tar.gz

Step3:Extracting Repository

Unzip the repo:

tar xf lego_v4.10.0_linux_386.tar.gz

Step4:Installation and Cloning

Install and clone GO for Lego to run.

git clone https://github.com/udhos/update-golang
cd update-golang
sudo ./update-golang.sh

Step5:Running of Lego and Fetching of LetsEncrypt Certificate

Important! We’re running this with AWS Credentials. 
You’ll have to rename the File directory from "saleseng" to your domainname. 

LEGO_EXPERIMENTAL_CNAME_SUPPORT=true \
./lego --email="admin@saleseng.de" --domains="*.saleseng.de" --dns="route53" -a  run

LEGO_EXPERIMENTAL_CNAME_SUPPORT=true

Step6:Uploading Certificate and replace everywhere

This step can be a Script based from here:  [LetsEncrypt] How To in Sophos Firewall 

My recommendation would be the following:

Try the renewal and upload it to a Storage of your choice first before you try to automate the entire process. You could also do a renewal process in one step and another pipeline to upload it to the firewall from your storage (Like a S3 bucket). 

Important Notice: Be careful with the initial runs, as a invalid renewal process can block your domain for some hours/days by LetsEncrypt. https://letsencrypt.org/docs/rate-limits/ 

Sophos Factory uses a container approach: This means if you run the renewal and fail to upload it to your storage like a S3 bucket, it’s gone! The Pipeline will be run once, and after the run, all data will be erased by the runner! 



Update Title
[edited by: Erick Jan at 1:28 PM (GMT -8) on 28 Feb 2023]
Unfiltered HTML