UTM has a LE Support for WAF (since UTM9.6). But on XG you can use LE certificates as well! Seems like many people does not know, you simply need a little Linux server and 5-10 minutes of your time each 3 month. Or you automate this.
First of all, i want to share the "how it works" page of LE. https://letsencrypt.org/how-it-works/
Internet - XG - Ubuntu 20.04 LTSUbuntu has "certbot" installed. Feel free to use other LE modules.https://certbot.eff.org/ https://certbot.eff.org/lets-encrypt/ubuntubionic-apacheFollow straight the Guide for your OS. I am relying fully on those apps for the renewal process.
Next step is, i am choosing the HTTP-01 method for LE, so i need a DNAT for LE to my Ubuntu.
PS: I am using HTTP DNAT for the renewal process and deactivate those Rules after the process. But you can also use only the LE IPs: https://community.letsencrypt.org/t/can-i-get-list-ip-from-letsencrypt/57117PS2: You could switch to the DNS validation like explained in this Community thread.
Next steps would be to check your Domain. Your DNS A-Record should point to your WAN IP. Otherwise this process will not work. So perform a dig / nslookup of your domain. It should point to your WAN IP, so your DNAT will work and HTTP packets are forwarded to Certbot. You can also use the Sophos free DDNS service. https://community.sophos.com/kb/en-us/123126
Lets start certbot and try it. My renewal process is straight forward:
(Be careful: LE blocks you after couple of "failed" request for some time. So check everything!).In the End you will get 4 files on your Linux: Public, Chain, Fullchain, Privatkey Certificates.
Upload to XG
You will use this Public and Privatkey certificate. There are couple of approaches to upload this to XG.
The first LE Cert can be simply uploaded. You should use the Public.pem in "Certificate" and the Privatkey in "Privat key". PS: you have to rename the Privatkey.pem to Privatkey.key, otherwise XG will not take this certificate.
Optionally you can upload the other Chain and fullchain Certificate under Certificate Authorities (Without Privat key). Now you can use this Certificate for WAF/Webadmin.
In case of renewal (each 90 Days), you have to choose a process.
Automation You can simply upload the new LE certificate with another Name and replace it in WAF/Webadmin. Or you can "update" the current LE certificate with new public.pem / privat.key. But for this method, you have to switch to a fallback certificate in WAF/Webadmin, because XG cannot update a certificate, which is currently in use.
After all, those steps are manual process each 90 Days. You can "script" this, if you want to. So basically upload the certificate each 90 Days to XG. https://community.sophos.com/kb/en-us/132560Other member in the community performed already scripts for this.https://community.sophos.com/products/xg-firewall/f/sophos-xg-firewall-general-discussion/102208/upload-certificate-using-apihttps://community.sophos.com/xg-firewall/f/discussions/126295/automatically-renew-let-s-encrypt-ssl-certificates-on-xg-using-powershellhttps://github.com/mmccarn/sophosIf you want to script this, this community can help you in case you are struggling with a point! So simply open a new thread with your issue with the API, we will try to find a solution.
Contribution:rgreat https://zerossl.com/free-ssl/#crt Free alternative to this approachLucianoRodriguezFor the Github script.
LE should be supported by XG from the beginning...
I am looking at trying this out
Its similar to above but you can script it if you have a Linux box. (they mention ubuntu server in the readme)
Hope this helps. (:
This would be really useful, I also create a new cert every 3 months and upload it to the XG
Lets Encrypt is on the Roadmap for the future.
Thats great, it's such an important feature. Thank you LuCar Toni
Glad to hear that it's on the roadmap, but forgive my skepticism about seeing this any time soon as some features linger on the roadmap for many years...
Any timeframe for it?For our company it is also essential to use LE.We'd not go for a makeshift / DYI-solution but keep our UTM running.
If LetsEncrypt is your only blocker, you could think about a solution to mitigate this via Script.
Actually I would also consider this kind of a makeshift solution.Plus - when I saw it right, I need to setup a second system. And don't upload them manually? Now way we'd do this!
When? this is a game stopper....
What are you going to solve with LetsEncrypt right now? Is there a workaround to integrate this via script or other solution? Or do you still need the certificate (publicly signed)? Maybe this is not needed anymore. I am seeing more customers move to internal CAs for User Portal access and no WAF at all anymore. Therefore there is no need to use a publicly CA on a firewall product.
Can't you just make it same as it's on UTM, so we can migrate?
As i mentioned earlier: If LetsEncrypt is your only blocker, you can easily workaround this. It would only take some minutes of your time.
I am not in the position to comment on the roadmap and prioritization. I simply show up a way to workaround this easily.
Then please get this forwarded to the engeneers who implement it ASAP.
We do have a ZERO downtime Policy for our Services hosted behind our UTM WAF atm and such a blatent crappy workaround is an absolut showstopper for us. Either automatic renewal in the WAF itelf or no XG period was the announcement from my bosses.
Thanks for your feedback. This feature is on the backlog for future implementation.