Sophos Firewall: [LetsEncrypt] How To in Sophos Firewall

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.


NoteMake sure your Sophos Firewall time is correct to avoid potential Certificate Trust issues

Overview

This Recommended Read reviews different options for obtaining a Let's Encrypt certificate.

UTM has LE Support for WAF (since UTM9.6). But on Sophos, you can use LE certificates as well. Seems like many people does not know, you need a little Linux server and 5-10 minutes of your time each three month. Or you can automate this. 

First of all, I want to share the "how it works" page of LE. https://letsencrypt.org/how-it-works/

My Setup. 

Internet - Sophos - Ubuntu 20.04 LTS
Ubuntu has "certbot" installed. Feel free to use other LE modules.
https://certbot.eff.org/ https://certbot.eff.org/lets-encrypt/ubuntubionic-apache
Follow straight the Guide for your OS. I am relying fully on those apps for the renewal process.  

Next, I am choosing the HTTP-01 method for LE, so I need a DNAT for LE to my Ubuntu.

 (V18). 

PS: I am using HTTP DNAT for the renewal process and deactivate those Rules after the process. But you can also use only the LE IPs: 
https://community.letsencrypt.org/t/can-i-get-list-ip-from-letsencrypt/57117
PS2: You could switch to the DNS validation as explained in this Community thread.  

The next step would be to check your Domain. Your DNS A-Record should point to your WAN IP. Otherwise, this process won’t work. 
So perform a dig / nslookup of your domain. It’ll point to your WAN IP, so your DNAT will work, and HTTP packets will be forwarded to Certbot. 
You can also use the Sophos free DDNS service. https://community.sophos.com/kb/en-us/123126 

Certbot

Let us start Certbot and try it. 
My renewal process is straightforward:


(Be careful: LE blocks you after couple of "failed" requests for some time. So check everything).
Ultimately, you’ll get four files on your Linux: Public, Chain, Fullchain, Privatkey Certificates. 

Upload to Sophos Firewall

You’ll use this Public and Privatkey certificate. 
There are a couple of approaches to upload this to Sophos. 

The first LE Cert can be uploaded. 
You should use the Public.pem in "Certificate" and the Privatkey in "Privat key". 
PS: you have to rename the Privatkey.pem to Privatkey.key. Otherwise, Sophos won’t take this certificate. 

Optionally, you can upload the other Chain and fullchain Certificate under Certificate Authorities (Without Privat key). 
Now, you can use this Certificate for WAF/Webadmin. 

In case of renewal (each 90 Days), you have to choose a process.

Automation 

You can upload the new LE certificate with another Name and replace it in WAF/Webadmin. 
Or you can "update" the current LE certificate with the new public.pem / privat.key. But for this method, you have to switch to a fallback certificate in WAF/Webadmin, because Sophos can't update a currently used certificate.  

After all, those steps are manual processes every 90 Days. 
You can "script" this if you want to. So basically, upload the certificate every 90 Days to Sophos. 


Other members of the community have already performed scripts for this.

If you want to script this, this community can help you if you struggle with a point.
So please open a new thread with your issue with the API, and we’ll try to find a solution. 

Sophos Factory

Sophos Factory brings a new Tool to automate Script-based approaches. This means you can easily run a Script like Certbot or Lego in a Sophos Factory environment to generate and upload the certificate to the Sophos Firewall. 

Sophos Factory offers a free Community Edition. https://community.sophos.com/sophos-factory/ https://community.sophos.com/sophos-factory/b/release-notes-news/posts/get-started-here-sophos-factory-offer-automation-for-all-with-its-free-community-edition

Within Sophos Factory, it could look like this:

Each step is one scripting component.By using tools like Lego and Github, the "Pipeline" will run one time, generate the certificate and upload it to the Firewall. 

Contribution:
 
 https://zerossl.com/free-ssl/#crt Free alternative to this approach
For the Github script. 
 Thanks for the PHP Script! 
 for a Powershell Script with WAF integration. 
 for another version of a Powershell Script. 




Edited Links
[edited by: emmosophos at 10:23 PM (GMT -8) on 5 Mar 2024]
Parents
  • We’ve been asking for this feature for YEARS now. It’s just unacceptable that Sophos hasn’t implemented it on XG. I’ve been on XG since V15 as others have, and we’re tired of asking for features and not getting a delivery. This request really isn’t that hard. Just make it happen so we can stop having to use these work around. It’s ridiculous.

  • Thanks for your Feedback. 

    __________________________________________________________________________________________________________________

  • Even ZTNA is not able to handle Let's encrypt renewals

  • I'd just like to point out... I've recently purchased an ASUS RT-AX55 for home use. It has LE support built in OOB. Again, I feel the need to stress this - a fairly cheap home-router has built-in LE support, while Sophos, offering a fairly expensive enterprise solution is unable or unwilling to add LE support to their FW...

  • The prioritization of the feature is not as high as other features, which are currently under deployment. 

    __________________________________________________________________________________________________________________

  • I'm not trying to start an argument when I say this, because that is what seems to happen with you anytime someone points out a feature that Sophos doesn't have. This is a community forum to help everyone and the product evolve.

    That being said, you can't be serious with that response. This has been the most requested feature since 2016. It's clear your customers want it. Sophos just needs to make it happen. I agree that ZTNA is awesome and is the future, but don't leave the existing customers to suffer until they adapt it. LetsEncrypt is really not hard to implement. Just make it happen and stop making excuses. 1244 votes for it! Just do it already. Should have been in V17 IMHO.

    ideas.sophos.com/.../13368852-let-s-encrypt-integration

  • I am not a Product Manager, i am simply a User of the product like you, but i am using LE on a SFOS Appliance since 2018. It was pretty easy to implement it via Script and this took the need from the product to support it. 

    BTW: I migrated most resources to ZTNA, which left only the user Portal and the Webadmin with LE. Webadmin only for internal access. 

    __________________________________________________________________________________________________________________

  • That's unbelievable.
    You are telling us, sophos is completly ignoring, what their customers are requesting for at least 5 years.
    Sorry, but this disqualifies as a reliable supplier for us, and I can't recommend them and their product's any more.
    If it is as easy to implement as you say, why does sophos risk to loose customers instead of just implementing this feature ?
    Maybe sophos should think about, who is paying the bills and therefor their sallaries.

  • Thanks for your Feedback. 

    __________________________________________________________________________________________________________________

  • Not Implementing Let's Encrypt and removing WAF from the "all inclusive" bundle while offering a product like ZTNA clearly shows the strategy of sophos to reduce the Sophos firewall back to a basic firewall with "sync sec" features on a long-term.

    if you want to use LE with a sophos product choose utm, since it is not marked as EoL you'll have fun with it for at least three to six years.

    lna@cema

    SCA (utm+xg), SCSE, SCT

    Sophos Platinum Partner

  • Hello ,

    your statement about 3 years is wrong.
    More and more suppliers are no longer issuing certificates for as long as this period (max. 1 Year only).
    The reason is that many client providers (browsers / cell phones Vendor) only consider certificates to be "ok"
    if they are valid for a maximum of one year.

    https://www.digicert.com/blog/1-year-tls-ssl-certificates-are-here-what-now

    Which I would understand if Sophos supported SCEP or other certificate exchange interfaces.
    It is always possible to use this against paid providers.
    But that doesn't work either, in the end the Sophos SFOS/XGS series is now a product I have to
    pay for but in the end it does less for most SMB customers than the UTM/SG.

    The only thing that forces one to leave UTM/SG is that the UTM/SG software sometimes has bugs that are not fixed for years (experienced by myself). Or even come back into the product (self experienced or still so).

    We ourselves realize that many German customers do not want SFOS as once UTM.
    We do not sell that than to explain to a customer that he must use scripts for a payment product
    or have to do without other things.

    Nevertheless, thanks for your script solution. For corporate customers, but this is nothing.
    You have to imagine that every device that runs at a customer needs something like this, IT will never be finished,
    you want to be smarter not slower and more vulnerable.
    Most customers are interested in manufacturer support and this has none.

    Best Regards Gerd

  • Thanks for your Feedback. I am using Sophos Factory for this use case in a broad scale solution with Wildcard LE Certificates. Factory allows me to do it as a partner as well to push it to all my customers from a single installation.

    This means, you can use Factory for this and other projects as well to publish all different solutions in a new approach. 

    https://docs.refactr.it/docs/

    This looks like the future to me. Doing any automation not based on the firewall, instead on a centralized instance and pushing everything you need to the firewall. 

    __________________________________________________________________________________________________________________

Reply
  • Thanks for your Feedback. I am using Sophos Factory for this use case in a broad scale solution with Wildcard LE Certificates. Factory allows me to do it as a partner as well to push it to all my customers from a single installation.

    This means, you can use Factory for this and other projects as well to publish all different solutions in a new approach. 

    https://docs.refactr.it/docs/

    This looks like the future to me. Doing any automation not based on the firewall, instead on a centralized instance and pushing everything you need to the firewall. 

    __________________________________________________________________________________________________________________

Children
No Data