This Recommended Read goes over different options to obtain a Let's Encrypt certificate.
UTM has a LE Support for WAF (since UTM9.6). But on XG you can use LE certificates as well! Seems like many people does not know, you simply need a little Linux server and 5-10 minutes of your time each 3 month. Or you automate this.
First of all, i want to share the "how it works" page of LE. https://letsencrypt.org/how-it-works/
Internet - XG - Ubuntu 20.04 LTSUbuntu has "certbot" installed. Feel free to use other LE modules.https://certbot.eff.org/ https://certbot.eff.org/lets-encrypt/ubuntubionic-apacheFollow straight the Guide for your OS. I am relying fully on those apps for the renewal process.
Next step is, I am choosing the HTTP-01 method for LE, so i need a DNAT for LE to my Ubuntu.
PS: I am using HTTP DNAT for the renewal process and deactivate those Rules after the process. But you can also use only the LE IPs: https://community.letsencrypt.org/t/can-i-get-list-ip-from-letsencrypt/57117PS2: You could switch to the DNS validation like explained in this Community thread.
Next steps would be to check your Domain. Your DNS A-Record should point to your WAN IP. Otherwise this process will not work. So perform a dig / nslookup of your domain. It should point to your WAN IP, so your DNAT will work and HTTP packets are forwarded to Certbot. You can also use the Sophos free DDNS service. https://community.sophos.com/kb/en-us/123126
Lets start certbot and try it. My renewal process is straight forward:
(Be careful: LE blocks you after couple of "failed" request for some time. So check everything!).In the End you will get 4 files on your Linux: Public, Chain, Fullchain, Privatkey Certificates.
You will use this Public and Privatkey certificate. There are couple of approaches to upload this to XG.
The first LE Cert can be simply uploaded. You should use the Public.pem in "Certificate" and the Privatkey in "Privat key". PS: you have to rename the Privatkey.pem to Privatkey.key, otherwise XG will not take this certificate.
Optionally you can upload the other Chain and fullchain Certificate under Certificate Authorities (Without Privat key). Now you can use this Certificate for WAF/Webadmin.
In case of renewal (each 90 Days), you have to choose a process.
You can simply upload the new LE certificate with another Name and replace it in WAF/Webadmin. Or you can "update" the current LE certificate with new public.pem / privat.key. But for this method, you have to switch to a fallback certificate in WAF/Webadmin, because XG cannot update a certificate, which is currently in use.
After all, those steps are manual process each 90 Days. You can "script" this, if you want to. So basically upload the certificate each 90 Days to XG. https://community.sophos.com/kb/en-us/132560Other member in the community performed already scripts for this.https://community.sophos.com/products/xg-firewall/f/sophos-xg-firewall-general-discussion/102208/upload-certificate-using-apihttps://community.sophos.com/xg-firewall/f/discussions/126295/automatically-renew-let-s-encrypt-ssl-certificates-on-xg-using-powershellhttps://github.com/mmccarn/sophoshttps://community.sophos.com/sophos-xg-firewall/f/discussions/129768/letsencrypt-api-update-script---dynamically-handles-multiple-certs-multiple-rules-including-re-grouping-of-policies-ruleshttps://community.sophos.com/sophos-xg-firewall/f/discussions/134534/sophos-xg-api-lets-encrypt-powershell-7-waf-update
If you want to script this, this community can help you in case you are struggling with a point! So simply open a new thread with your issue with the API, we will try to find a solution.
Sophos Factory brings a new Tool to automate Script based approaches. This means, you can easily run a Script like Certbot or Lego in a Sophos Factory environment to generate the certificate and upload it to the Sophos Firewall.
Sophos Factory offers a free Community Edition. https://community.sophos.com/sophos-factory/ https://community.sophos.com/sophos-factory/b/release-notes-news/posts/get-started-here-sophos-factory-offer-automation-for-all-with-its-free-community-edition
Within Sophos Factory it could look like this:
Each step is one scripting component. By Using tools like Lego and Github, the "Pipeline" will run one time, generate the certificate and upload it to the Firewall.
I am going to post a detail thread about this approach later.
Would be very interested, am using LE and do a manual renew every 3 months.
Teach-in videos library needs a solid lifting. I used to rely on firewalls.com video on Youtube, but many are based on old version of XG and touch mostly the surface only. Aside Sophos own Website, it is hard to find learning stuff that applies to XG on the net.
I would like get this gude!
Any progress on finishing / publishing / sharing the above mentioned guide?
I am kinda busy right now in other projects / stuffs...
So i have to renew some certificates end of Jan, so i will wrap up this process then.
Excellent. I'm following up.
Right now I am keeping my UTM active, mostly for this function. I've just been too lazy to set up the process myself, so I would take a look if you put one up. Thanks!
We also need a guide for LE on XG
Updated this Thread with some facts.
Most likely not the content, you excepted.
Feel free to share your thoughts about the automated process.
I can help you to build a script for it, but most likely i can only help to call the correct API on XG. I am not able to help you in your Script for calling certbot, renaming files etc pp.
This is more likely a serverfault / stackoverflow domain.
Ive been running a Hyper-V VM on my LAN with a DNAT rule for HTTP & HTTPS to this and a standard rule for LAN to WAN with IPS enabled, but for some reason the LE bot cannot update the _acme.domain TXT record using an API. Ive had it work once when i disabled all the IPS and filtering on both rules but it soon failed on a reboot of the VM. Has anyone got any advice on the best practices for rules for LE acme bots?