automatically renew Let's encrypt SSL-certificates on XG using PowerShell

I spent a few hours on this, so maybe my result helps someone in a similar situation. 

In my home-lab I'm running a KEMP ADC that publishes all my SSL-Services. Since KEMP does not support Let's encrypt out of the box but offers a PowerShell module for their ADC's, I'm using a Windows Tool-Server with a PowerShell-Script (based on POSH-ACME) to renew two SSL-Certificates from Let's encrypt every two months.

Many of our customers and since last August myself have replaced their old firewall with a Sophos XG which is, as we all know, missing as well built-in support for Let's encrypt. A little annoying, because it's one of those features that the old product (UTM) offered and the new product (XG) doesn't anymore, but hopefully there will be a time when the proved old stuff will be reactivated...

However, most of our customers are running Windows-Servers and need one or two SSL-certificates. Deploying a Linux-machine only for this purpose will make a commercial SSL-certificate more valuable. And because my approach was PowerShell, I wanted to manage the certificate on the XG using the same script. Got that, finally, and would like to safe others a few hours ;-) .

Short overview over my setup:

- Windows Tool-Server (W2k16)
 - PowerShell 7
 - PS-Module KEMP-ADC (support.kemptechnologies.com/.../200141477)
 - PS-Module POSH-ACME (interacting with Let's encrypt) (github.com/.../Posh-ACME)
 - scheduled PS-Scripts to renew and replace 2 SSL-certificates on KEMP ADC and one on Sophos XG
 - KEMP-ADC: using PS-Module
 - Sophos XG: using Web-API

- KEMP-ADC
 - hosting production services
 - redirects ACME-traffic to Tool-Server

I'm not really used whith API-calling and learned a lot from other, mostly unresolved discussions here. Especially with help from this discussion I finally found a solution: Sophos XG API Powershell Module - sophosxg-api - Discussions - XG Firewall - Sophos Community

After all I recommend the following:

- use PowerShell 7 on the tool-server, this makes life much easier (web-request syntax, skip SSL validation)

- use a local account on XG (least privileges...), AD-accounts do not work

- if you're able to request and renew certificates using the script, import your SSL-certificate on XG using the web-gui, give it an easy, speaking name (e.g. URL_LE) and assign it where needed

- adjust the following script-snippet regarding your PFX-file/PW, user/PW and your certificate name; it's supposed to replace an existing certificate

# replace Certificate on Sophos XG

$request = "<Request><Login><Username>***USERNAME***</Username><Password>***PASSWORD***</Password></Login><Set operation=`"update`"><Certificate><Action>UploadCertificate</Action><Name>***CERTIFICATE_NAME***</Name><CertificateFormat>pkcs12</CertificateFormat><CertificateFile>***CERTIFICATE.PFX***</CertificateFile><Password>***CERTIFICATE-PASSWORD***</Password></Certificate></Set></Request>"
$uri = "">XG-URL:4444/.../APIController"
$PFXfileProd = "C:\temp\fullchain.pfx"
$Form = @{
reqxml = $request
$((Get-Item $PFXfileProd).Basename) = Get-Item -Path $PFXfileProd
}
$Result = Invoke-RestMethod -Uri $Uri -Method Post -Form $Form -SkipCertificateCheck

Good luck!