This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Errors trying to regenerate certificates (Heartbleed mitigation)

Hi all,

My home UTM is throwing an error when I try regenerate certificates and signing CA under the Remote Access->Certificate Management->Advanced

The Confd reported an error without providing any details. 


Any ideas? FWIW, I was able to reset my WebAdmin cert without any trouble.


This thread was automatically locked due to age.
Parents
  • I fixed all my issues by doing a backup of the new firmware without the site specific data (certs, etc) and then restoring it. Then just walking through the initial setup really quickly and everything worked great and I didn't have to start from scratch. I have a lot of firewall/nat rules so that would have been a pain. I really suggest doing it this way since it will re-create all the certs for you.

    Bravo, slickone27!  Great news!  I hadn't heard of anyone trying this before.  I've linked to your post above in The Zeroeth Rule in Rulz.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Greetings Bob,

    I know this is an old thread but I thought it might need some updating now that UTM incorporates Let's Encrypt support.

    slickone27 certainly came up with the easiest way but I have a UTM that I worked with Sophos on for months to be able to restore without the site-specific data. It restored fine if you restored a full backup but if you tried to restore without the site-specific data it failed every time. Everything under the sun was tried by me and Sophos. Unfortunately, Sophos was unable to resolve the issue and I finally gave up once they provided a workaround.

    I was able to successfully get new certificates on the UTM by following Step 4 in this knowledge base article on Heartbleed: Recommended steps for UTM : https://community.sophos.com/kb/en-us/120851. It took a while but it worked great and I have never experienced any issues.

    I am now in a situation where I need to regenerate the certificates on that UTM again and I am prepared to follow the steps in the knowledge base article again but with direct support for Let's Encrypt certificates now being part of the UTM I had to wonder if your caveat in Rulz would no longer apply if Let's Encrypt certificates were were used instead of local certificates?

    Curious to know your thoughts.

    Best Regards - HTG
    Frustrated Sophos Partner seeing all the things
    that brought me to Sophos slowly slip away.
    RIP astaro.org

  • Hi old friend!

    Well, I'm originally a math guy, so I always look for "elegant" configuration solutions - for easy-to-understand and -maintain setups.  I haven't been using the LetsEncrypt solution, but would consider it for a home setup.  I still would prefer for new certs to be consistent in the configuration.  Did I answer your question or did I misunderstand which caveat you were referring to?

    Cheers - Bob
    PS You have a PM.

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Bob,

    Upon reading my post I must agree with you that I wasn't clear enough.

    I have been using Let's Encrypt certificates on all UTM's I manage including this troublesome UTM. I can totally see where someone of your caliber would not feel the need for using the Let's Encrypt solution but for myself it has been a huge blessing being able to click a few buttons and say goodbye to self signed certificates on the UTMs I manage. They have all renewed without fail until I was forced to make a change to the clients Internet connection on this one UTM.

    When I had to switch from one IP to 5 IP's I was not only forced to change IP's but hostname due to my own poor planning by naming the host after the ISP's PTR record name. Obviously having the hostname resolvable in reverse DNS is important for email so I thought that the ISPs PTR record for the IP address would be a good solution. 20/20 hindsight has clearly shown me that it was only a good solution so long as the client maintained that IP address and the ISP didn't change the PTR record.

    Due to the above, what I need to do is change the hostname on this UTM. To avoid having to switch the host names in the future I have learned my lesson and will now set hostnames where I control the forward and reverse DNS. Naturally once the hostname is changed it means that certificates need to be regenerated.

    Since this problem UTM will not restore from a backup when the site-specific data is removed slickone27's method will not work as the easy solution to regenerate certificates so I must either start from scratch (not a good option since there's a lot of complexity to this UTM's configuration) or use the method Sophos provided as described in the Heartbleed knowledge base article's step 4.

    I was all prepared to regenerate the certificates using the Heartbleed knowledge base article method but then it occurred to me...With the use of Let's Encrypt for certificates wouldn't it be unnecessary to regenerate all the certificates following the Heartbleed knowledge base article method since those self signed certificates will not be used anyway and will be replaced with Let's Encrypt certificates?

    So since I have been using Let's Encrypt certificates do you suppose it would be possible to simply disable the Let's Encrypt (which deletes all Let's Encrypt related data), change the hostname, and then redo the Let's Encrypt?

    Do you believe that would be sufficient as you say in Rulz "to get CAs, certificates, hostname entries, etc. all aligned?"

    Finally, this brings us to the caveat. What I was referring to is that I've heard you say if you don't get all this stuff aligned you are asking for trouble.

    Best Regards - HTG
    Frustrated Sophos Partner seeing all the things
    that brought me to Sophos slowly slip away.
    RIP astaro.org

  • "So since I have been using Let's Encrypt certificates do you suppose it would be possible to simply disable the Let's Encrypt (which deletes all Let's Encrypt related data), change the hostname, and then redo the Let's Encrypt?"

    It sounds like that would work, but were I in your place, I think I would hedge my bet by trying this in a VM first.

    If things aren't "aligned," it's not the end of the world, it's just that there are several details that can slow down solving some problems and complicate other configurations like Remote Access.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • "So since I have been using Let's Encrypt certificates do you suppose it would be possible to simply disable the Let's Encrypt (which deletes all Let's Encrypt related data), change the hostname, and then redo the Let's Encrypt?"

    It sounds like that would work, but were I in your place, I think I would hedge my bet by trying this in a VM first.

    If things aren't "aligned," it's not the end of the world, it's just that there are several details that can slow down solving some problems and complicate other configurations like Remote Access.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data