This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Web protection

If I upload a new certificate because it's just been renewed, and then select that certificate in an existing firewall rule for web protection, it automatically deletes all the domains I've associated and puts in the ones it's found in the certificate. This drives me absolutely crazy, because we use a wildcard certificate and have different rules for different sub-domains. I then have to setup all the subdomains all over again.

Can we please get a change so that selecting a different certificate from the "HTTPS Certificate" dropdown doesn't change anything in the "Domains" box?

This thread was automatically locked due to age.

Top Replies

LuCar Toni over 1 year ago in reply to Stuart James +1

Essentially the reason is: SFOS reads the Domains from the cert, but as Wildcard does not have domains, it will "put space in it". So if you have a cert for domain test.com, by selecting the cert, it…

0 Stuart James over 1 year ago

19.5.1 MR-1-Build278
Cancel
Vote Up 0 Vote Down

Cancel
0 Erick Jan over 1 year ago
Hi Stuart,

Thank you for reaching out to Sophos Community.

Also, for providing the software version and apologies for the experience.

The Firewall's default behavior seems to pull out the domain from the certificate and overwrite the current.

I'll be inquiring about your case with our internal team.

Would it be possible to create a case at https://soph.so/SophosSupport so that it can further check?

Also, kindly share with us the case # once created so that we can monitor it.

For additional query, Can I have the following information?

Previous and new Certificates a wildcard?

How many WAF rules do you have?

The number of domains to be modified?
Erick Jan
Community Support Engineer | Sophos Technical Support
Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up 0 Vote Down

Cancel
0 Stuart James over 1 year ago in reply to Erick Jan

I can log a case, but not sure why as you've confirmed it's an issue, so nothing to troubleshoot

Both new and old certificates are a wildcard - it's basically renewing the old certificate

6 x WAF rules

There are currently 32 subdomains, although this is growing as we deploy new webapps
Cancel
Vote Up 0 Vote Down

Cancel
0 LHerzog over 1 year ago in reply to Stuart James

maybe a workaround would be to export the WAF services and replace the certificate externally on the xml file, import it afterwards as Entities.tar

https://doc.sophos.com/nsg/sophos-firewall/19.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/BackupAndFirmware/ImportExport/index.html#export

just an idea, eventually it works?
Cancel
Vote Up 0 Vote Down

Cancel
0 Stuart James over 1 year ago in reply to LHerzog

Wouldn't work, because it would also restore the incorrect HTTPS certificate being assigned to that WAF rule
Cancel
Vote Up 0 Vote Down

Cancel
0 LHerzog over 1 year ago in reply to Stuart James

of course after you imported the new cert with a new name and reference to the new cert in the xml.
Cancel
Vote Up 0 Vote Down

Cancel
0 Stuart James over 1 year ago in reply to LHerzog

Yes, I suppose I could edit the XML and change to the new cert name in there. Might give that a whirl.
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 1 year ago in reply to Stuart James

Are you using a Lets Encrypt Certificate?

Because it sounds like you are doing it very frequently.

I can confirm, this is the current behavior of the webadmin.

But i am "working around" it by using the API to upload the certificate and replace the certificate at the same time.

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Cancel
0 Stuart James over 1 year ago in reply to LuCar Toni

No, we're using a GoDaddy wildcard certificate

We're updating it once a year when the certificate expires/renews

I'm not entirely sure why changing the assigned certificate wipes out all of the assigned domains - strange behaviour
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 1 year ago in reply to Stuart James

Essentially the reason is: SFOS reads the Domains from the cert, but as Wildcard does not have domains, it will "put space in it".

So if you have a cert for domain test.com, by selecting the cert, it will place test.com in it.

__________________________________________________________________________________________________________________
Cancel
Vote Up +1 Vote Down

Cancel