Web protection

Hi Stuart,

Thank you for reaching out to Sophos Community.

Also, for providing the software version and apologies for the experience.

The Firewall's default behavior seems to pull out the domain from the certificate and overwrite the current.

I'll be inquiring about your case with our internal team.

Would it be possible to create a case at https://soph.so/SophosSupport so that it can further check?

Also, kindly share with us the case # once created so that we can monitor it.

For additional query, Can I have the following information?

• Previous and new Certificates a wildcard?
• How many WAF rules do you have?
• The number of domains to be modified?

Hi Stuart,

Thank you for reaching out to Sophos Community.

Also, for providing the software version and apologies for the experience.

The Firewall's default behavior seems to pull out the domain from the certificate and overwrite the current.

I'll be inquiring about your case with our internal team.

Would it be possible to create a case at https://soph.so/SophosSupport so that it can further check?

Also, kindly share with us the case # once created so that we can monitor it.

For additional query, Can I have the following information?

• Previous and new Certificates a wildcard?
• How many WAF rules do you have?
• The number of domains to be modified?

I can log a case, but not sure why as you've confirmed it's an issue, so nothing to troubleshoot

Both new and old certificates are a wildcard - it's basically renewing the old certificate

6 x WAF rules

There are currently 32 subdomains, although this is growing as we deploy new webapps

maybe a workaround would be to export the WAF services and replace the certificate externally on the xml file, import it afterwards as Entities.tar

https://doc.sophos.com/nsg/sophos-firewall/19.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/BackupAndFirmware/ImportExport/index.html#export

just an idea, eventually it works?

Wouldn't work, because it would also restore the incorrect HTTPS certificate being assigned to that WAF rule

of course after you imported the new cert with a new name and reference to the new cert in the xml.

Yes, I suppose I could edit the XML and change to the new cert name in there. Might give that a whirl.

Are you using a Lets Encrypt Certificate? 

Because it sounds like you are doing it very frequently. 

I can confirm, this is the current behavior of the webadmin. 

But i am "working around" it by using the API to upload the certificate and replace the certificate at the same time. 

No, we're using a GoDaddy wildcard certificate

We're updating it once a year when the certificate expires/renews

I'm not entirely sure why changing the assigned certificate wipes out all of the assigned domains - strange behaviour

Essentially the reason is: SFOS reads the Domains from the cert, but as Wildcard does not have domains, it will "put space in it". 

So if you have a cert for domain test.com, by selecting the cert, it will place test.com in it. 

It would be good if it recognised it was a wildcard cert and didn't change domains listed

It's plausible that a non-wildcard cert could be added where you didn't want to include some of domains listed in it, or only wanted to list one of them. I think manual entry is better.