I spent a few hours on this, so maybe my result helps someone in a similar situation.
In my home-lab I'm running a KEMP ADC that publishes all my SSL-Services. Since KEMP does not support Let's encrypt out of the box but offers a PowerShell module for their ADC's, I'm using a Windows Tool-Server with a PowerShell-Script (based on POSH-ACME) to renew two SSL-Certificates from Let's encrypt every two months.
Many of our customers and since last August myself have replaced their old firewall with a Sophos XG which is, as we all know, missing as well built-in support for Let's encrypt. A little annoying, because it's one of those features that the old product (UTM) offered and the new product (XG) doesn't anymore, but hopefully there will be a time when the proved old stuff will be reactivated...
However, most of our customers are running Windows-Servers and need one or two SSL-certificates. Deploying a Linux-machine only for this purpose will make a commercial SSL-certificate more valuable. And because my approach was PowerShell, I wanted to manage the certificate on the XG using the same script. Got that, finally, and would like to safe others a few hours ;-) .
Short overview over my setup:
- Windows Tool-Server (W2k16)
- PowerShell 7
- PS-Module KEMP-ADC (support.kemptechnologies.com/.../200141477)
- PS-Module POSH-ACME (interacting with Let's encrypt) (github.com/.../Posh-ACME)
- scheduled PS-Scripts to renew and replace 2 SSL-certificates on KEMP ADC and one on Sophos XG
- KEMP-ADC: using PS-Module
- Sophos XG: using Web-API
- KEMP-ADC
- hosting production services
- redirects ACME-traffic to Tool-Server
I'm not really used whith API-calling and learned a lot from other, mostly unresolved discussions here. Especially with help from this discussion I finally found a solution: Sophos XG API Powershell Module - sophosxg-api - Discussions - XG Firewall - Sophos Community
After all I recommend the following:
- use PowerShell 7 on the tool-server, this makes life much easier (web-request syntax, skip SSL validation)
- use a local account on XG (least privileges...), AD-accounts do not work
- if you're able to request and renew certificates using the script, import your SSL-certificate on XG using the web-gui, give it an easy, speaking name (e.g. URL_LE) and assign it where needed
- adjust the following script-snippet regarding your PFX-file/PW, user/PW and your certificate name; it's supposed to replace an existing certificate
# replace Certificate on Sophos XG
$request = "<Request><Login><Username>***USERNAME***</Username><Password>***PASSWORD***</Password></Login><Set operation=`"update`"><Certificate><Action>UploadCertificate</Action><Name>***CERTIFICATE_NAME***</Name><CertificateFormat>pkcs12</CertificateFormat><CertificateFile>***CERTIFICATE.PFX***</CertificateFile><Password>***CERTIFICATE-PASSWORD***</Password></Certificate></Set></Request>"
$uri = "">XG-URL:4444/.../APIController"
$PFXfileProd = "C:\temp\fullchain.pfx"
$Form = @{
reqxml = $request
$((Get-Item $PFXfileProd).Basename) = Get-Item -Path $PFXfileProd
}
$Result = Invoke-RestMethod -Uri $Uri -Method Post -Form $Form -SkipCertificateCheck
Good luck!
This thread was automatically locked due to age.
