[LetsEncrypt] How To in XG

Hi Guys,

interested in a little self written Guide for LetsEncrypt on XG? 

UTM has a LE Support for WAF (since UTM9.6). But on XG you can use LE certificates as well! Seems like many people does not know, that you simply need a little Linux server and 5-10 minutes of your time each 3 month. 

If you are interested in this topic, just leave a comment, will write this guide for you. Would replace this Thread so stay tuned and comment to get the alert :) 

 

 

*Update* 

Some facts. 

First of all, i want to share the "how it works" page of LE. https://letsencrypt.org/how-it-works/

 

 

My Setup. 

Internet - XG - Ubuntu 18.04 LTS

Ubuntu has "certbot" installed. Feel free to use other LE modules. 

https://certbot.eff.org/

https://certbot.eff.org/lets-encrypt/ubuntubionic-apache

Follow straight the Guide for your OS. I am relying fully on those apps for the renewal process. (Myself, certbot seems to be very easy to handle). 

 

Next step is, i am choosing the HTTP-01 Method for LE, so i need a DNAT for LE to my Ubuntu.

PS: You can try to figure out the LE used DNS / IP and specify this DNAT or simply activate this Firewall in Case of renewal the Certificate. But most likely you will not get those...

https://community.letsencrypt.org/t/can-i-get-list-ip-from-letsencrypt/57117

PS2: You could switch to the DNS validation like explained in this Community thread. 

 

 

Next steps would be to check your Domain. Your DNS should point to your WAN IP. Otherwise this Process will not work. 

So perform a dig / nslookup of your Domain. It should point to your WAN IP, so your DNAT will work and HTTP packets are forwarded to Certbot. 

PS: i did not test this process with Sophos dynamic DNS. Feel free to try it! Most likely it will work.

https://community.sophos.com/kb/en-us/123126

 

 

Lets start certbot and try it. 

(i have to point you to your rubric of certbot).

My renewal process is straight forward:

 

(Be careful with this process. LE blocks you after couple of "failed" request for some time. So check everything!).

 

 

So in the End you will get 4 files. 

Public, Chain, Fullchain, Privatkey Certificates. 

 

You will use this Public and Privatkey Certificate. 

There are couple of "ways" to upload this to XG. 

 

The first LE Cert can be simply uploaded. 

You should use the Public.pem in "Certificate" and the Privatkey in "Privat key". 

Ps: you have to rename the Privatkey.pem to Privatkey.key, otherwise XG will not take this certificate. 

 

Optionally you can upload the other Chain and fullchain Certificate under Certificate Authorities (Without Privat key). 

 

Now you can use this Certificate for WAF/Webadmin etc. 

 

In case of renewal (Each 90 Days), you have to choose a process. 

You can simply upload the new LE certificate with another Name and replace it in WAF/Webadmin. 

Or you can "update" the current LE certificate with new public.pem / privat.key. But for this method, you have to switch to a fallback certificate in WAF/Webadmin, because XG cannot update a certificate, which is currently in use. 

 

 

 

 

After all, those steps are manual process each 90 Days. 

You can "script" this, if you want to. So basically upload the certificate each 90 Days to XG. 

https://community.sophos.com/kb/en-us/132560

Other member in the community performed already scripts for this.

https://community.sophos.com/products/xg-firewall/f/sophos-xg-firewall-general-discussion/102208/upload-certificate-using-api

 

The point is, i will not share script examples in this community, most likely because i cannot support them. 

If you want to script this, this community can help you in case you are struggling with a point! 

So simply open a new Thread with your issue with the API, we will try to find a solution. 

  • I am looking at trying this out

     

    https://github.com/mmccarn/sophos

     

    Its similar to above but you can script it if you have a Linux box.  (they mention ubuntu server in the readme)

    Hope this helps.  (:

     

     

  • In reply to LucianoRodriguez:

    This would be really useful, I also create a new cert every 3 months and upload it to the XG

  • In reply to Badrobot:

    As from the 1st Sep 2020 Apple are introducing a new time limit on CAs fo 369 days from memory.

    The question is how to update the XG CA every 368 days, I don't think regenerate achieves the aim?

    Ian

  • In reply to rfcat_vk:

    LetsEncrypt Certificates are only valid for 3 Month.

  • In reply to LuCar Toni:

     

    It's great to see this write-up, but I'm baffled that Let's Encrypt has been fully supported for almost a year (in the GUI) in the UTM but not in XG - arguably Sophos' flagship product.

    UTM: 6-step process in the GUI

    XG: You're on your own essentially installing a kludge via CLI and a supporting Linux server. Not exactly something I would dare propose to a client or a Network Engineering team.

    Is Sophos considering officially supporting this in XG?

    To illustrate the difference, here's how easy it is on the UTM: