[LetsEncrypt] How To in XG

Hi Guys,

interested in a little self written Guide for LetsEncrypt on XG? 

UTM has a LE Support for WAF (since UTM9.6). But on XG you can use LE certificates as well! Seems like many people does not know, that you simply need a little Linux server and 5-10 minutes of your time each 3 month. 

If you are interested in this topic, just leave a comment, will write this guide for you. Would replace this Thread so stay tuned and comment to get the alert :) 

 

 

*Update* 

Some facts. 

First of all, i want to share the "how it works" page of LE. https://letsencrypt.org/how-it-works/

 

 

My Setup. 

Internet - XG - Ubuntu 18.04 LTS

Ubuntu has "certbot" installed. Feel free to use other LE modules. 

https://certbot.eff.org/

https://certbot.eff.org/lets-encrypt/ubuntubionic-apache

Follow straight the Guide for your OS. I am relying fully on those apps for the renewal process. (Myself, certbot seems to be very easy to handle). 

 

Next step is, i am choosing the HTTP-01 Method for LE, so i need a DNAT for LE to my Ubuntu.

PS: You can try to figure out the LE used DNS / IP and specify this DNAT or simply activate this Firewall in Case of renewal the Certificate. But most likely you will not get those...

https://community.letsencrypt.org/t/can-i-get-list-ip-from-letsencrypt/57117

PS2: You could switch to the DNS validation like explained in this Community thread. 

 

 

Next steps would be to check your Domain. Your DNS should point to your WAN IP. Otherwise this Process will not work. 

So perform a dig / nslookup of your Domain. It should point to your WAN IP, so your DNAT will work and HTTP packets are forwarded to Certbot. 

PS: i did not test this process with Sophos dynamic DNS. Feel free to try it! Most likely it will work.

https://community.sophos.com/kb/en-us/123126

 

 

Lets start certbot and try it. 

(i have to point you to your rubric of certbot).

My renewal process is straight forward:

 

(Be careful with this process. LE blocks you after couple of "failed" request for some time. So check everything!).

 

 

So in the End you will get 4 files. 

Public, Chain, Fullchain, Privatkey Certificates. 

 

You will use this Public and Privatkey Certificate. 

There are couple of "ways" to upload this to XG. 

 

The first LE Cert can be simply uploaded. 

You should use the Public.pem in "Certificate" and the Privatkey in "Privat key". 

Ps: you have to rename the Privatkey.pem to Privatkey.key, otherwise XG will not take this certificate. 

 

Optionally you can upload the other Chain and fullchain Certificate under Certificate Authorities (Without Privat key). 

 

Now you can use this Certificate for WAF/Webadmin etc. 

 

In case of renewal (Each 90 Days), you have to choose a process. 

You can simply upload the new LE certificate with another Name and replace it in WAF/Webadmin. 

Or you can "update" the current LE certificate with new public.pem / privat.key. But for this method, you have to switch to a fallback certificate in WAF/Webadmin, because XG cannot update a certificate, which is currently in use. 

 

 

 

 

After all, those steps are manual process each 90 Days. 

You can "script" this, if you want to. So basically upload the certificate each 90 Days to XG. 

https://community.sophos.com/kb/en-us/132560

Other member in the community performed already scripts for this.

https://community.sophos.com/products/xg-firewall/f/sophos-xg-firewall-general-discussion/102208/upload-certificate-using-api

 

The point is, i will not share script examples in this community, most likely because i cannot support them. 

If you want to script this, this community can help you in case you are struggling with a point! 

So simply open a new Thread with your issue with the API, we will try to find a solution. 

  • In reply to LuCar Toni:

    LuCar Toni

     

    It should be WAN to WAN XG IP. Service HTTP. And Should forward this traffic to Ubuntu. 

     

     

    Okay so:

    Source: Zone - WAN Any

    Destination: Port # for WAN -HTTP

    Forward to: Ubuntu VM IP, Port # ?? Protected zone ??

    Which port number and protected zone do I choose?

    How about routing? Leave it unchecked?

     

    Thanks a million, I feel like I'm almost there...

    KM

  • In reply to Sleepy_admin:

    Port should be the Port, where the Ubuntu VM is based on. 

    Zone is the Zone, where the Ubuntu VM based on.

     

    https://community.sophos.com/kb/en-us/122976

    This KBA should help. 

  • In reply to LuCar Toni:

    I'm sorry to be asking so many questions.

    How do I tell which port the Ubuntu VM is based on?

    Would it be possible to connect with you sometime and help me figure out the problem?

  • In reply to Sleepy_admin:

    Do you use an own Ubuntu VM? 

    This VM should have an IP Address, most likely based behind XG? 

     

    The case is quite easy. You have to NAT the Connection of LE to your Certbot (based on Linux). 

    https://letsencrypt.org/how-it-works/

     

    So basically the easiest way is to DNAT the traffic from WAN to XG WAN Interface to this Linux Client. 

    Only if XG is the Gateway of your Ubuntu Client. 

  • In reply to LuCar Toni:

    I tried too many times and I think I have to wait a week to try again. Each time I get the same error message like you saw in the attached screenshot before. I'll wait a week and then try again. Thanks for helping so far.

  • In reply to LuCar Toni:

    I talked with Sophos today and I think that I'm not using certbot properly.

    Can you make a sample of the steps that you use with certbot? Or perhaps a screenshot of the process you use in certbot?

  • In reply to Sleepy_admin:

    I only use certbot with

    $ sudo certbot --apache

     

    Like mentioned in this Guide. 

    https://certbot.eff.org/lets-encrypt/ubuntubionic-apache.html

     

    Renewal is done by a script based on this command in cron. 

    $ sudo certbot renew --dry-run

    I guess, you have something like a apache already running? But to be honest, i cannot debug certbot, i have no clue about the inner working.
    (one of the reasons, i do not publish any scripts here. Most likely they wont work on your setup).


  • In reply to LuCar Toni:

    I don't have an apache server running. I only have a Ubuntu VM and the Sophos XG210. Is there any way to make it work just with this.

  • In reply to Sleepy_admin:

    You could simply install Apache on your Ubuntu Server. 

    You do not need to configure anything on Apache, it will self configure by certbot (i guess?).

    https://www.digitalocean.com/community/tutorials/how-to-install-the-apache-web-server-on-ubuntu-18-04-quickstart

     

  • Great information, but it's really something that should be integrated into XG.

    Here's the link to the feature request. Over 400 votes and counting.

    Let's Encrypt Feature Request

  • In reply to Arie:

    I am aware of this, but i want to share a simple solution. 

  • In reply to LuCar Toni:

    I appreciate your post here but not sure I’d say this is a simple or sensible solution for a couple of reasons.

    There’s probably two main ones but the first one is that you have to take your websites offline within 90 days to update the certificates. While your doing that the sites are going to display what? The default I’ve just installed Apache page unless you change it. Or are you mirroring all the WAF rules in Apache configuration to reverse proxy the sites while doing this or redirecting them to the real server? Do you add in mod security to try and keep the sites secure from attacks while you do this or do you publish them without?

    Which ever of these options your likely picking, this isn’t likely to fly at a lot of businesses in my experience.

    The other issue is that this is either manual or needs your own integration written. That’s a lot of effort compared to Sophos UTM where it’s pretty much fire and forget, doesn’t involve taking your sites offline either.

    So obviously until there’s an official solution if you wish to use XG and Letsencrypt you don’t have much choice but this is a very poor bandaid to something that should get built in natively.

  • In reply to FastLaneJB:

    I am only hosting a Certbot light version with apache right now. At the moment, i do not have any interrupt in the renewal process (beside the WAF restart in XG because i am changing the WAF rule). 

    Lets Encrypt can use only HTTP to verify the certificate. And it does not need any content on the page. You can read more about this process on the lets encrypt page and/or Certbot. 

    Do not forget, UTM got this last year (UTM9.6). Before that, every "LE integration" was a simple workaround by the community. 

     

    What i am doing is: 

    Enabling a DNAT Rule from Lets Encrypt IPs Port 80 to my Ubuntu Server.

    Starting Certbot to renewal the Certificate.

    Uploading the new Certificate to XG.

    Disabling the DNAT.

    Replacing the new Certificate in the WAF (OWA etc.) Rule and replacing the Certificate in the Webadmin. 

     


    I am simply point out a little workaround for the community. Also i am aware, that this is not quite a rock solid solution for a business case. I never told anybody, this is a "official" solution.

    Simply point out, that there is a way to work with this in the current product, if you want to.

     

  • In reply to LuCar Toni:

    You can generate LE certs completely online BTW, skipping the entire Ubuntu setup process...

     

    https://zerossl.com/free-ssl/#crt

     

    Just need to provide DNS auth, which you should have anyway if even looking at this option.