Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Sophos Firewall: [LetsEncrypt] How To in Sophos Firewall

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.


Overview

    This recommended Read reviews different options for obtaining a Let's Encrypt certificate.

    Update

    Update: V21.0 supports Lets Encrypt onboard:  Sophos Firewall v21 Early Access Announcement  
    Note: Make sure your Sophos Firewall time is correct to avoid potential Certificate Trust issues

    UTM has LE Support for WAF (since UTM9.6). However, you can also use LE certificates on Sophos. Many people do not know that you need a small Linux server and 5-10 minutes of your time every three months. You can automate this. 

    First, I want to share LE's "how it works" page. https://letsencrypt.org/how-it-works/

    My Setup

    Internet - Sophos - Ubuntu 20.04 LTS
    Ubuntu has "certbot" installed. Feel free to use other LE modules.
    https://certbot.eff.org/ https://certbot.eff.org/lets-encrypt/ubuntubionic-apache
    Follow straight the Guide for your OS. I am relying fully on those apps for the renewal process.  

    Next, I am choosing the HTTP-01 method for LE, so I need a DNAT for LE to my Ubuntu.

     (V18). 

    PS: I am using HTTP DNAT for the renewal process and will deactivate those rules afterward. But you can also use only the LE IPs: 
    https://community.letsencrypt.org/t/can-i-get-list-ip-from-letsencrypt/57117
    PS2: As explained in this Community thread, you could switch to the DNS validation.  

    The next step would be to check your Domain. Your DNS A-Record should point to your WAN IP. Otherwise, this process won’t work. 
    So perform a dig / nslookup of your domain. It’ll point to your WAN IP, so your DNAT will work, and HTTP packets will be forwarded to Certbot. 
    You can also use the Sophos free DDNS service. https://community.sophos.com/kb/en-us/123126 

    Certbot

    Let us start Certbot and try it. 
    My renewal process is straightforward:


    (Be careful: LE blocks you after a couple of "failed" requests for some time, so check everything.)
    Ultimately, you’ll get four files on your Linux: Public, Chain, Fullchain, and Privatekey Certificates. 

    Upload to Sophos Firewall

    You’ll use this Public and Privatkey certificate. 
    There are a couple of approaches to upload this to Sophos. 

    The first LE Cert can be uploaded. 
    It would be best to use the Public.pem in "Certificate" and the Privatkey in "Private key." 
    PS: you have to rename the Privatkey.pem to Privatkey.key. Otherwise, Sophos won’t take this certificate. 

    Optionally, you can upload the other Chain and fullchain Certificates under Certificate Authorities (Without Private key). 
    Now, you can use this Certificate for WAF/Webadmin. 

    In renewal (each 90 Days), choose a process.

    Automation 

    You can upload the new LE certificate with another Name and replace it in WAF/Webadmin. 
    Or you can "update" the current LE certificate with the new public.pem / private.key. However, for this method, you have to switch to a fallback certificate in WAF/Webadmin because Sophos can't update a currently used certificate.  

    After all, those steps are manually processed every 90 days. 
    You can "script" this if you want to. Basically, upload the certificate to Sophos every 90 Days. 


    Other members of the community have already performed scripts for this.

    If you want to script this, this community can help you if you struggle with a point.
    So kindly open a new thread with your issue with the API, and we’ll try to find a solution. 

    Sophos Factory

    Sophos Factory brings a new Tool to automate Script-based approaches. This means you can easily run a Script like Certbot or Lego in a Sophos Factory environment to generate and upload the certificate to the Sophos Firewall. 

    Sophos Factory offers a free Community Edition. https://community.sophos.com/sophos-factory/ https://community.sophos.com/sophos-factory/b/release-notes-news/posts/get-started-here-sophos-factory-offer-automation-for-all-with-its-free-community-edition

    Within Sophos Factory, it could look like this:

    Each step is a scripting component. Using tools like Lego and Github, the "Pipeline" will run once, generate the certificate, and upload it to the Firewall. 

    Contribution:
     
     https://zerossl.com/free-ssl/#crt Free alternative to this approach
    For the Github script. 
     Thanks for the PHP Script! 
     for a Powershell Script with WAF integration. 
     is for another version of a Powershell script. 




    Added link
    [edited by: emmosophos at 10:47 PM (GMT -8) on 16 Dec 2024]
    • What about a platform to do automation entirely? 

      See: Sophos Factory. 

      Sophos has this feature in the backlog for future implementation. The Implementation could differ from the other products. While UTM did a HTTP only approach, SFOS could go the direction to do it via DNS. ACME/LetsEncrypt supports a Certificate renewal process by a third party. That is the approach, which looks way better.

      For example: You simply point your DNS to Central. Central will renewal your Certificate and push it to the firewall. That is the better approach, as it will give you a Wildcard Certificate, you will get the certificate all the time, without having a Webserver running on the firewall etc. This would mean, no ties to Webserver Protection Subscription as well. 

      __________________________________________________________________________________________________________________

    • Nope, its not easy to have this Sophos connected to the DNS Service. Lets see whats coming. But at the moement from the customer view, im not happy with sophos any more. Lets see what is going on, and in the meantime im looking for other solutions on the market ;)

    • DNS Options are much more secure than the web Option.

      Just have an acme DNS entry pointing to Central and handle the Setup there seems to be nice. But please not only wildcards. Keep in mind customer might have diffrent Lets Encrypt DNS solutions. And pointing to Central might not be possible.

    • Sophos will not connect to DNS. You will simply point one DNS Record to the DNS Services of Sophos. This means by using CNAME. It is one ACME CNAME you will maintain one time, which is sufficient to do this. 

      __________________________________________________________________________________________________________________

    • I cannot give a date. Until then, you could look at Sophos Factory if you want to expand your business anyway to Automation. 

      __________________________________________________________________________________________________________________

    • Yes I know, I am doing this. But when you point the wildcard acme to Central, I am not able to use it for other acme setups.

      Even when pointing a server1.cutomer.de acme to Central I am not able to use it for ther internal acme stuff.

      With this approach, I must be able to use the central DNSAPI, too.

      Customer example: acme CNAME in main domain to a DNSAPI domain. Acme scipt write only data to DNSAPI domain.

    • You can overwrite the CNAME with a own txt record all the time, if you want. This means, you are still in control of your domain, if you want to generate additional ACME Certificates. Simply remove the CNAME and update your own DNS txt record and generate your scripts. DNS will always be used for the entire domain. 

      I highly doubt, Sophos will implement a Certificate store for you. Which means, the firewall is not your central certificate store to renewal and upload to other products. 

      That should be (especially from a automation and security perspective) a automation tool in a docker container. Like Sophos Factory. 

      Take a look at this tool, it can actually do exactly this. It will store the data only in processing, upload it to your desired places / machines etc. 

      __________________________________________________________________________________________________________________

    • Hi,

      main problem, DNS API tokens are often to agressive, they allow to much.

      What we do, we add a constant cname to a diffrent domain, and change DNS entries trough api in this domain.

      When api token is compromised, changes in main dns zone are not possible.

      Sven

    • Hello ,

      your statement about 3 years is wrong.
      More and more suppliers are no longer issuing certificates for as long as this period (max. 1 Year only).
      The reason is that many client providers (browsers / cell phones Vendor) only consider certificates to be "ok"
      if they are valid for a maximum of one year.

      https://www.digicert.com/blog/1-year-tls-ssl-certificates-are-here-what-now

      Which I would understand if Sophos supported SCEP or other certificate exchange interfaces.
      It is always possible to use this against paid providers.
      But that doesn't work either, in the end the Sophos SFOS/XGS series is now a product I have to
      pay for but in the end it does less for most SMB customers than the UTM/SG.

      The only thing that forces one to leave UTM/SG is that the UTM/SG software sometimes has bugs that are not fixed for years (experienced by myself). Or even come back into the product (self experienced or still so).

      We ourselves realize that many German customers do not want SFOS as once UTM.
      We do not sell that than to explain to a customer that he must use scripts for a payment product
      or have to do without other things.

      Nevertheless, thanks for your script solution. For corporate customers, but this is nothing.
      You have to imagine that every device that runs at a customer needs something like this, IT will never be finished,
      you want to be smarter not slower and more vulnerable.
      Most customers are interested in manufacturer support and this has none.

      Best Regards Gerd