8 years plus running no solution to Certificate could not be updated as it is already used by HTTP Based Policy

Question

When I go to edit the certificate and upload the certificate which is due for renewal ( every 13 months ), it fails with the following error at the top center of the screen: 
 
 Certificate could not be updated as it is already used by HTTP Based Policy 
 
 Firmware: (SFOS 20.0.1 MR-1-Build342) 
 I have 40+ WAF rules managing multiple domains. 
 
 1. Go to certificates 
 2. Add new certificates with different name as it doesn't allow updating same certificate 
 3. Then go to WAF rules one by one ( 1....40+ ), change new certificates update FQDN isn't this annoying ????? 
 4. Its been 5 Years I have been using Sophos XG literally fed up with repeated task 
 
 Its even costing me with downtime. 
 
 Its been issue over 8+ years still Sophos not addressed see below: 
 
 Certificate renewal fails if used in web server protection rule 
 
 Certificate could not be updated as it is already used by HTTP Based Policy 
 
 I raised support ticket as of 2024-07-26 Sophos doesn't feasible solution. ( Case Number: 07455429 ) 
 I see below paths hold certificate & private key, its a job of replacement of file & restart of WAF still Sophos developers didn't consider to implement over UI over 8+ years!!! can't they simplify ???

/conf/certificate/

/conf/certificate/private/

LuCar Toni · Answer

Yes. That is what I am saying: you need one API call to upload the new certificate - called cert-date 
 then you need a second API call to update the WAF to replace the current name with the new name. 
 you cannot replace the certificate, which is in use right now. But you could do it by the approach above. 
 As mentioned - this will be approach in a better manner later this year by a new Sophos firewall release.

burton · Answer

Letsencrypt API Update Script - dynamically handles multiple certs, multiple rules, including re-grouping of policies rules - Discussions - Sophos Firewall - Sophos Community 
 You could try using my script on a linux machine to take care of this for you. You just set it up with all your certificates (how they are named on your xg firewall) that you want to update, and it must have access to the certificate pem and key files locally for each certificate as well. 
 Then it goes out to your firewall via the api and finds all the rules that are using that certificate name, temporarily replaces the certificate with a temp dummy certificate that it creates for this process, then uploads/updates all the certificates you set it up with ( the original ones, no need to create new ones with a different name), then goes back through all the rules and re-assigns them back to that original certificate name, and if they were a part of a firewall group, it restores the firewall group as well, and then deletes the temp certificate. 
 Also keep in mind, the original post was never updated as requested, to change the timeout of the curl to 120, as discovered for this user in the following post, so keep that in mind if you decide to try it. Also, the user in that post also apparently had around 40 rules as well to update. I have been using this script for three years without issue, to update two different certificates and multiple waf rules used by each of the two certificates. 
 PHP script for uploading Lets Encrypt certs is broken since 19.0 MR1 - Discussions - Sophos Firewall - Sophos Community

8 years plus running no solution to Certificate could not be updated as it is already used by HTTP Based Policy

Top Replies