Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

PHP script for uploading Lets Encrypt certs is broken since 19.0 MR1

Hi, I am using this script from user 

https://community.sophos.com/sophos-xg-firewall/f/discussions/129768/letsencrypt-api-update-script---dynamically-handles-multiple-certs-multiple-rules-including-re-grouping-of-policies-rules

However since MR1 it is broken when it tries to set the 2nd rule with the temporary certificate:
FINDING POLICIES USING CERT: owncloud
FOUND MATCHING POLICY RULE TO BE UPDATED: Clone_owncloud
FOUND MATCHING POLICY RULE TO BE UPDATED: owncloud
FINDING ASSIGNED GROUPS FOR RULE: Clone_owncloud
FOUND MATCHING FIREWALL RULE GROUP: Traffic to Internal Zones
FINDING ASSIGNED GROUPS FOR RULE: owncloud
FOUND MATCHING FIREWALL RULE GROUP: Traffic to Internal Zones



APPLYING TEMP CERT FOR POLICY RULE: Clone_owncloud
<?xml version="1.0" encoding="UTF-8"?>
<Response APIVersion="1800.1" IPS_CAT_VER="1">
  <Login>
    <status>Authentication Successful</status>
  </Login>
  <FirewallRule transactionid="">
    <Status code="200">Configuration applied successfully.</Status>
  </FirewallRule>
</Response>


APPLYING TEMP CERT FOR POLICY RULE: owncloud
PHP Fatal error:  Uncaught Exception: String could not be parsed as XML in /root/update_xg_cert_owncloud.php:226
Stack trace:
#0 /root/update_xg_cert_owncloud.php(226): SimpleXMLElement->__construct()
#1 {main}
  thrown in /root/update_xg_cert_owncloud.php on line 226

Any idea why that happens? I am completely noob in PHP and API.



This thread was automatically locked due to age.
  • This is interesting.... I just mimicked your setup, and compared our policy output from the test i asked for, and nothing stands out differently, but mine still worked.  It's odd that the first policy works, and the second policy "works / applies the change to the temp" but comes back with no response.  

    Lets try this next and see if you notice anything different from the policy that works "returns a result for applying the temp cert" and the one that does not......

    Have this be the only changes for this test!

    Around line 82, set it to the following:

                            curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
                            curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
                           $result = curl_exec($ch); // execute
    // *** remove the "//" from each of the following 3 lines below ***
                var_dump($result);
                $info = curl_getinfo($ch);
                print_r($info);
    // *** end changes ***
                            curl_close($ch);

    I'm wondering if maybe the curl is timing out? or getting some sort of error...if so this will show us what is returned, and the detailed "curl ifno" from running the curl against the api.

  • This is the output for the working first policy:

    Array
    (
        [url] => https://10.0.0.254:4444/webconsole/APIController
        [content_type] => text/xml;  charset=UTF-8
        [http_code] => 200
        [header_size] => 392
        [request_size] => 209
        [filetime] => -1
        [ssl_verify_result] => 0
        [redirect_count] => 0
        [total_time] => 51.260151
        [namelookup_time] => 1.8E-5
        [connect_time] => 0.000478
        [pretransfer_time] => 0.01046
        [size_upload] => 1695
        [size_download] => 286
        [speed_download] => 5
        [speed_upload] => 33
        [download_content_length] => -1
        [upload_content_length] => 1695
        [starttransfer_time] => 0.011947
        [redirect_time] => 0
        [redirect_url] =>
        [primary_ip] => 10.0.0.254
        [certinfo] => Array
            (
            )
    
        [primary_port] => 4444
        [local_ip] => 10.0.0.9
        [local_port] => 51450
        [http_version] => 2
        [protocol] => 2
        [ssl_verifyresult] => 0
        [scheme] => HTTPS
        [appconnect_time_us] => 10423
        [connect_time_us] => 478
        [namelookup_time_us] => 18
        [pretransfer_time_us] => 10460
        [redirect_time_us] => 0
        [starttransfer_time_us] => 11947
        [total_time_us] => 51260151
    )
    

    And this the output for the second policy just before the exception happens:

    bool(false)
    Array
    (
        [url] => https://10.0.0.254:4444/webconsole/APIController
        [content_type] =>
        [http_code] => 100
        [header_size] => 25
        [request_size] => 209
        [filetime] => -1
        [ssl_verify_result] => 0
        [redirect_count] => 0
        [total_time] => 60.001212
        [namelookup_time] => 1.7E-5
        [connect_time] => 0.000431
        [pretransfer_time] => 0.010152
        [size_upload] => 1686
        [size_download] => 0
        [speed_download] => 0
        [speed_upload] => 28
        [download_content_length] => -1
        [upload_content_length] => 1686
        [starttransfer_time] => 0.011703
        [redirect_time] => 0
        [redirect_url] =>
        [primary_ip] => 10.0.0.254
        [certinfo] => Array
            (
            )
    
        [primary_port] => 4444
        [local_ip] => 10.0.0.9
        [local_port] => 51456
        [http_version] => 2
        [protocol] => 2
        [ssl_verifyresult] => 0
        [scheme] => HTTPS
        [appconnect_time_us] => 10124
        [connect_time_us] => 431
        [namelookup_time_us] => 17
        [pretransfer_time_us] => 10152
        [redirect_time_us] => 0
        [starttransfer_time_us] => 11703
        [total_time_us] => 60001212
    )
    

    Strangely the total_time_us of the failed policy update is more or less exact 60 seconds. Could that be the timeout if curl? If so how do I change it?

    Seems CURLOPT_ACCEPTTIMEOUT_MS is the default 60000000 us = 60 seconds

  • Yep, looks like we found the issue! The curl api call has a hard-set timeout of 60 seconds, so we need to adjust that.

    Odd that your responses take so long.  My response time for setting the temp cert is "[total_time] => 12.153309" 

    Anyways, you will just need to increase this setting around line 66

    curl_setopt($ch, CURLOPT_TIMEOUT, 60);

    I would just go ahead and double yours to the following:

    curl_setopt($ch, CURLOPT_TIMEOUT, 120);

    Let me know if that fixes the issue.

  • Now its working! I changed the line where you set the timeout from 60 to 120 and it runs through!!

    Well I have a lot of rules (>40) and those have a lot of path specific routings etc. It is also taking so much time via the GUI.

  • Great!  Glad we got it figured out!  Thanks for being willing to do all the testing, and report your findings here to help solve it!

    Any chance you can get the OP, with the entire script, updated to reflect the fix we applied here, to help prevent others who may come across the OP and use the code, from having the issue EdmundSackbauer had?  Also, you still have the link to my post for this script going to someone else's github page on this post "(+) [LetsEncrypt] How To in XG - Recommended Reads - Sophos Firewall - Sophos Community"  Thanks!