This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

automatically renew Let's encrypt SSL-certificates on XG using PowerShell

I spent a few hours on this, so maybe my result helps someone in a similar situation. 

In my home-lab I'm running a KEMP ADC that publishes all my SSL-Services. Since KEMP does not support Let's encrypt out of the box but offers a PowerShell module for their ADC's, I'm using a Windows Tool-Server with a PowerShell-Script (based on POSH-ACME) to renew two SSL-Certificates from Let's encrypt every two months.

Many of our customers and since last August myself have replaced their old firewall with a Sophos XG which is, as we all know, missing as well built-in support for Let's encrypt. A little annoying, because it's one of those features that the old product (UTM) offered and the new product (XG) doesn't anymore, but hopefully there will be a time when the proved old stuff will be reactivated...

However, most of our customers are running Windows-Servers and need one or two SSL-certificates. Deploying a Linux-machine only for this purpose will make a commercial SSL-certificate more valuable. And because my approach was PowerShell, I wanted to manage the certificate on the XG using the same script. Got that, finally, and would like to safe others a few hours ;-) .

Short overview over my setup:

- Windows Tool-Server (W2k16)
 - PowerShell 7
 - PS-Module KEMP-ADC (
 - PS-Module POSH-ACME (interacting with Let's encrypt) (
 - scheduled PS-Scripts to renew and replace 2 SSL-certificates on KEMP ADC and one on Sophos XG
 - KEMP-ADC: using PS-Module
 - Sophos XG: using Web-API

 - hosting production services
 - redirects ACME-traffic to Tool-Server

I'm not really used whith API-calling and learned a lot from other, mostly unresolved discussions here. Especially with help from this discussion I finally found a solution: Sophos XG API Powershell Module - sophosxg-api - Discussions - XG Firewall - Sophos Community

After all I recommend the following:

- use PowerShell 7 on the tool-server, this makes life much easier (web-request syntax, skip SSL validation)

- use a local account on XG (least privileges...), AD-accounts do not work

- if you're able to request and renew certificates using the script, import your SSL-certificate on XG using the web-gui, give it an easy, speaking name (e.g. URL_LE) and assign it where needed

- adjust the following script-snippet regarding your PFX-file/PW, user/PW and your certificate name; it's supposed to replace an existing certificate

# replace Certificate on Sophos XG

$request = "<Request><Login><Username>***USERNAME***</Username><Password>***PASSWORD***</Password></Login><Set operation=`"update`"><Certificate><Action>UploadCertificate</Action><Name>***CERTIFICATE_NAME***</Name><CertificateFormat>pkcs12</CertificateFormat><CertificateFile>***CERTIFICATE.PFX***</CertificateFile><Password>***CERTIFICATE-PASSWORD***</Password></Certificate></Set></Request>"
$uri = "">XG-URL:4444/.../APIController"
$PFXfileProd = "C:\temp\fullchain.pfx"
$Form = @{
reqxml = $request
$((Get-Item $PFXfileProd).Basename) = Get-Item -Path $PFXfileProd
$Result = Invoke-RestMethod -Uri $Uri -Method Post -Form $Form -SkipCertificateCheck

Good luck!

This thread was automatically locked due to age.
  • Nice script. You can spice it up. 

    Instead of those values in your script, use variables.

    What i am doing: I upload the certificate as "Lets Encrypt + currentdate". So i read the current system date, add this to the phrase of Lets Encrypt and upload it to the XG. 

    Therefore you do not have to change this every two month, because XG will not allow to replace a existing "in use" certificate. 

    Another step forward: You can start to replace this certificate everywhere, you need it: 

    Webadmin? User Portal? WAF? 

    WAF is more complicated, as you need to figure out, where the cert is used. 

    But Webadmin is quite simple. 


  • I thought variables in just a part of the whole script would be useless.

    Most of our customers use the SSL-certificate just for webadmin/userportal and SSL-VPN. According to my tests, this can be replaced when in use (what of course was the goal of the whole thing). What I read this is not working when the certificate is bound to WAF. 

    Maybe good to know: LE provides a staging-CA where you can fire as much requests as your script needs until it's working. I implemented a switch in my script to be able to change between stage and prod for testing.

    What I didn't test until now: OpenVPN profiles seem to contain this certificate and when I replaced the existing SSL-certificate (Sertigo) with LE I was not able to connect anymore until downloading and importing the new userprofile. If this happens every 3 months because of a new LE-certificate it's not really what I was looking for.