Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

8 years plus running no solution to Certificate could not be updated as it is already used by HTTP Based Policy

When I go to edit the certificate and upload the certificate which is due for renewal ( every 13 months ), it fails with the following error at the top center of the screen:

Certificate could not be updated as it is already used by HTTP Based Policy

Firmware: (SFOS 20.0.1 MR-1-Build342) 

I have 40+ WAF rules managing multiple domains.

1. Go to certificates

2. Add new certificates with different name as it doesn't allow updating same certificate 

3. Then go to WAF rules one by one ( 1....40+ ), change new certificates update FQDN isn't this annoying ?????

4.   Its been 5 Years I have been using Sophos XG literally fed up with repeated task

Its even costing me with downtime.

Its been issue over 8+ years still Sophos not addressed see below:

 Certificate renewal fails if used in web server protection rule 

 Certificate could not be updated as it is already used by HTTP Based Policy 

I raised support ticket as of 2024-07-26 Sophos doesn't feasible solution. ( Case Number: 07455429 )

I see below paths hold certificate & private key,  its a job of replacement of file & restart of WAF  still Sophos developers didn't consider to implement over UI over 8+ years!!! can't they simplify ???

/conf/certificate/

/conf/certificate/private/



This thread was automatically locked due to age.
Parents
  • so you can replace an certificate with a new on via api. I am doing this all the time with let’s encrypt. But you need to upload a new one to the firewall and replace the current certificate with the new one in one put request. 

    And you have to be mindful about the resources of Sophos in terms of prio. This situation is known to Sophos. 

    Sophos is looking into addressing this situation with an upcoming release later this year. 

    Sophos Support is not to place or develops fixes for missing features in the product. You can raise those concerns with your Sales engineer. 

    __________________________________________________________________________________________________________________

  • Upload new one through api is not a problem

    Example: if you have existing certificate with name  "domain-a-latest" attached to WAF rules. Sophos api doesn't allow update operations to repace the same either on web or through rest api.

  • Yes. That is what I am saying: you need one API call to upload the new certificate - called cert-date 

    then you need a second API call to update the WAF to replace the current name with the new name. 

    you cannot replace the certificate, which is in use right now. But you could do it by the approach above.

    As mentioned - this will be approach in a better manner later this year by a new Sophos firewall release. 

    __________________________________________________________________________________________________________________

Reply
  • Yes. That is what I am saying: you need one API call to upload the new certificate - called cert-date 

    then you need a second API call to update the WAF to replace the current name with the new name. 

    you cannot replace the certificate, which is in use right now. But you could do it by the approach above.

    As mentioned - this will be approach in a better manner later this year by a new Sophos firewall release. 

    __________________________________________________________________________________________________________________

Children
No Data