Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • Replies 122 replies
  • Subscribers 61 subscribers
  • Views 126809 views
  • Users 0 members are here
Options
Suggested

Sophos Firewall: [LetsEncrypt] How To in Sophos Firewall

LuCar Toni

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.

NoteMake sure your Sophos Firewall time is correct to avoid potential Certificate Trust issues

Overview

This Recommended Read reviews different options for obtaining a Let's Encrypt certificate.

UTM has LE Support for WAF (since UTM9.6). But on Sophos, you can use LE certificates as well. Seems like many people does not know, you need a little Linux server and 5-10 minutes of your time each three month. Or you can automate this. 

First of all, I want to share the "how it works" page of LE. https://letsencrypt.org/how-it-works/

My Setup. 

Internet - Sophos - Ubuntu 20.04 LTS
Ubuntu has "certbot" installed. Feel free to use other LE modules.
https://certbot.eff.org/ https://certbot.eff.org/lets-encrypt/ubuntubionic-apache
Follow straight the Guide for your OS. I am relying fully on those apps for the renewal process.  

Next, I am choosing the HTTP-01 method for LE, so I need a DNAT for LE to my Ubuntu.

(V18). 

PS: I am using HTTP DNAT for the renewal process and deactivate those Rules after the process. But you can also use only the LE IPs: 
https://community.letsencrypt.org/t/can-i-get-list-ip-from-letsencrypt/57117
PS2: You could switch to the DNS validation as explained in this Community thread.  

The next step would be to check your Domain. Your DNS A-Record should point to your WAN IP. Otherwise, this process won’t work. 
So perform a dig / nslookup of your domain. It’ll point to your WAN IP, so your DNAT will work, and HTTP packets will be forwarded to Certbot. 
You can also use the Sophos free DDNS service. https://community.sophos.com/kb/en-us/123126 

Certbot

Let us start Certbot and try it. 
My renewal process is straightforward:


(Be careful: LE blocks you after couple of "failed" requests for some time. So check everything).
Ultimately, you’ll get four files on your Linux: Public, Chain, Fullchain, Privatkey Certificates. 

Upload to Sophos Firewall

You’ll use this Public and Privatkey certificate. 
There are a couple of approaches to upload this to Sophos. 

The first LE Cert can be uploaded. 
You should use the Public.pem in "Certificate" and the Privatkey in "Privat key". 
PS: you have to rename the Privatkey.pem to Privatkey.key. Otherwise, Sophos won’t take this certificate. 

Optionally, you can upload the other Chain and fullchain Certificate under Certificate Authorities (Without Privat key). 
Now, you can use this Certificate for WAF/Webadmin. 

In case of renewal (each 90 Days), you have to choose a process.

Automation 

You can upload the new LE certificate with another Name and replace it in WAF/Webadmin. 
Or you can "update" the current LE certificate with the new public.pem / privat.key. But for this method, you have to switch to a fallback certificate in WAF/Webadmin, because Sophos can't update a currently used certificate.  

After all, those steps are manual processes every 90 Days. 
You can "script" this if you want to. So basically, upload the certificate every 90 Days to Sophos. 


Other members of the community have already performed scripts for this.

If you want to script this, this community can help you if you struggle with a point.
So please open a new thread with your issue with the API, and we’ll try to find a solution. 

Sophos Factory

Sophos Factory brings a new Tool to automate Script-based approaches. This means you can easily run a Script like Certbot or Lego in a Sophos Factory environment to generate and upload the certificate to the Sophos Firewall. 

Sophos Factory offers a free Community Edition. https://community.sophos.com/sophos-factory/ https://community.sophos.com/sophos-factory/b/release-notes-news/posts/get-started-here-sophos-factory-offer-automation-for-all-with-its-free-community-edition

Within Sophos Factory, it could look like this:

Each step is one scripting component.By using tools like Lego and Github, the "Pipeline" will run one time, generate the certificate and upload it to the Firewall. 

Contribution:
  https://zerossl.com/free-ssl/#crt Free alternative to this approach
For the Github script. 
 Thanks for the PHP Script! 
 for a Powershell Script with WAF integration. 
 for another version of a Powershell Script. 



Edited Links
[edited by: emmosophos at 10:23 PM (GMT -8) on 5 Mar 2024]
Parents

  • Great information, but it's really something that should be integrated into XG.

    Here's the link to the feature request. Over 400 votes and counting.

    Let's Encrypt Feature Request

  • in reply to Arie

    I am aware of this, but i want to share a simple solution. 

    __________________________________________________________________________________________________________________

  • in reply to LuCar Toni

    I appreciate your post here but not sure I’d say this is a simple or sensible solution for a couple of reasons.

    There’s probably two main ones but the first one is that you have to take your websites offline within 90 days to update the certificates. While your doing that the sites are going to display what? The default I’ve just installed Apache page unless you change it. Or are you mirroring all the WAF rules in Apache configuration to reverse proxy the sites while doing this or redirecting them to the real server? Do you add in mod security to try and keep the sites secure from attacks while you do this or do you publish them without?

    Which ever of these options your likely picking, this isn’t likely to fly at a lot of businesses in my experience.

    The other issue is that this is either manual or needs your own integration written. That’s a lot of effort compared to Sophos UTM where it’s pretty much fire and forget, doesn’t involve taking your sites offline either.

    So obviously until there’s an official solution if you wish to use XG and Letsencrypt you don’t have much choice but this is a very poor bandaid to something that should get built in natively.

  • in reply to FastLaneJB

    I am only hosting a Certbot light version with apache right now. At the moment, i do not have any interrupt in the renewal process (beside the WAF restart in XG because i am changing the WAF rule). 

    Lets Encrypt can use only HTTP to verify the certificate. And it does not need any content on the page. You can read more about this process on the lets encrypt page and/or Certbot. 

    Do not forget, UTM got this last year (UTM9.6). Before that, every "LE integration" was a simple workaround by the community. 

     

    What i am doing is: 

    Enabling a DNAT Rule from Lets Encrypt IPs Port 80 to my Ubuntu Server.

    Starting Certbot to renewal the Certificate.

    Uploading the new Certificate to XG.

    Disabling the DNAT.

    Replacing the new Certificate in the WAF (OWA etc.) Rule and replacing the Certificate in the Webadmin. 

     


    I am simply point out a little workaround for the community. Also i am aware, that this is not quite a rock solid solution for a business case. I never told anybody, this is a "official" solution.

    Simply point out, that there is a way to work with this in the current product, if you want to.

     

    __________________________________________________________________________________________________________________

  • in reply to LuCar Toni

    You can generate LE certs completely online BTW, skipping the entire Ubuntu setup process...

     

    https://zerossl.com/free-ssl/#crt

     

    Just need to provide DNS auth, which you should have anyway if even looking at this option.

Reply Children
No Data
Unfiltered HTML