Sophos Factory: Upload LetsEncrypt Certificates on SFOS via Factory

Sophos Factory offers pre build pipelines to upload and manage certificates on a Sophos Firewall.
For example can you upload and use Certificates like LetsEncrypt Certificates in SFOS with those Pipelines.

If you have a Certificate already generated like described here: [HowTo] Lets Encrypt Renewal Process with Factory

You can simply use those certificates with the predefined Pipelines. You find them in the global catalog:

This Pipeline require the following Inputs:

Which could be extracted by a pipeline before that. Like this one: [HowTo] Lets Encrypt Renewal Process with Factory

In combination:

Which will upload the certificate to the firewall.
To integrate the Firewall, please follow the following: Sophos Factory: Integrate Sophos Factory with Sophos Firewall

This would be the editor code for everything:

---
variables:
  - type: String
    name: Domain
    key: domain
    required: true
    visible: true
    default: false
    description: Domain to Generate and Upload
  - type: String
    name: hostname
    key: hostname
    required: true
    visible: true
    default: false
steps:
  - id: p1
    name: Lego Certificate Renewal
    type: pipeline
    depends: []
    properties:
      pipeline_id: 6479fd20949984ba31087e65
      pipeline_revision_id: latest
      variables:
        credential: Saleseng
        domains: '{|vars.domain|}'
        email: admin@saleseng.de
        url: 'https://github.com/go-acme/lego/releases/download/v4.10.0/lego_v4.10.0_linux_386.tar.gz'
        provider: route53
        resolvers: 8.8.8.8
        tos: true
  - id: p2
    name: '[TEST] Upload Certificate'
    type: pipeline
    depends:
      - p1
    properties:
      pipeline_id: 6526c138429a74127ab653d1
      pipeline_revision_id: 652706774512ac34f47a4896
      variables:
        credential: FirewallCreds
        hostname: '{|vars.hostname|}'
        port: '4444'
        name: '{|vars.domain + date_format(''yyyy-MM-dd'') |}'
        directory: '{|env.RUN_PATH + "/.lego/certificates"|}'
        certificate: '{|vars.domain + ".pem"|}'
        key: '{|vars.domain + ".key"|}'
outputs: []
layout:
  elements:
    - id: p1
      position:
        x: -85
        'y': -180
      links: []
    - id: p2
      position:
        x: -85
        'y': -95
      links:
        - sourceId: p1
          sourcePort: bottom
          targetPort: top
          vertices: []

Fully automated Upload:

Edited TAGs and Title
[edited by: emmosophos at 11:11 PM (GMT -7) on 1 Apr 2024]

Top Replies

LuCar Toni 1 month ago in reply to DavidSain +1

As you can scale this, you would generate per customer one certificate and "offer the certificate to the customer". Partners doing this right now. The point here is: The wildcard can be offered directly…

ThomasBauer 4 months ago

Which IP / IP ranges does Sophos Factory use? So the integrated cloud hosting?

Unfortunately, it is no longer possible to configure access to Any via WAN, not even for a short time for testing.

Sadly, exactly zero is documented here.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Cancel
LuCar Toni 4 months ago in reply to ThomasBauer

You can / should use your own runner. This means, you can host your own runner in your IP.

https://docs.factory.sophos.com/docs/runners/self-hosted-runners/

Docker for example: https://docs.factory.sophos.com/docs/runners/self-hosted-runners/docker/

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Sign in to reply

Cancel
ThomasBauer 4 months ago in reply to LuCar Toni

too much setup for a few Lets Encrypt certificates...

then we would have to look for another easier solution, which unfortunately this is not.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Cancel
LuCar Toni 4 months ago in reply to ThomasBauer

This solution still works as Wildcard Certificate and can be used everywhere else. So it is not a simple "WAF Certificate" like UTM did it. Instead you have a Wildcard Certificate to be used for everything you want (one certificate for everything within the domain).

This approach makes it much easier to deploy it on different solutions as well. And you could even upload it to other solutions like servers or solutions with API Access.

Factory is an automation tool, perfect for partners or customers to automate certain process.

To run factory only for Lets Encrypt might be an complicate solution, but you could do much more there as well. For example, i am refreshing LE for multiple solutions scheduled, upload code to firewalls etc.

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Sign in to reply

Cancel
DavidSain 1 month ago in reply to LuCar Toni

Would this be appropriate for a partner to deploy and assign certificates across several hundred clients? Seems like that would be a challenge. Not a single wildcard cert but a cert for every company.

Sophos Firewall Engineer 16.0, 16.5, 17.0, 17.1, 17.5, 18.0, 18.5, 19.0, 19.5, 20.0
Sophos Firewall Architect 18.0, 18.5, 19.0, 19.5, 20.0
Sophos Firewall Technician 18.0, 18.5, 19.0, 19.5, 20.0
Sophos Central & Endpoint Architect 3.0, 4.0
Sophos Central Email v2.0
Sophos Mobile v9.6
Sophos ZTNA 1.0, 2.0
Synchronized Security Accredited
Sophos Gold Partner
Cancel
Vote Up 0 Vote Down

Sign in to reply

Cancel
LuCar Toni 1 month ago in reply to DavidSain

As you can scale this, you would generate per customer one certificate and "offer the certificate to the customer". Partners doing this right now.

The point here is: The wildcard can be offered directly to the firewall or as multiple approaches. For example you can upload it to the firewall and send it as a S3 Bucket Download to the customer via Email or Teams. So the customer can reuse it manually, if he wants.

The customer in the end does one thing (one time config): He creates a CNAME to the partner domain. The rest is automatically generated by lego in this principle. I wrote about this here: [HowTo] Lets Encrypt Renewal Process with Factory

Right now, i am doing this for 20 domains automatically (Upload to firewalls and offering via Teams).

Factory offers the way to automate this per domain, per customer individually. Which means: You build the pipeline and then recreate the customer variables one time and run this pipeline per customer automatically every 90 days.

It is a service offering from the partner for the customer. Some customers do not need a LE certificate, as they have no public facing services anyway.

And as this solution is entirely free, you are free to try it and report back about your findings.

__________________________________________________________________________________________________________________
Cancel
Vote Up +1 Vote Down

Sign in to reply

Cancel