Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Sophos Firewall: [LetsEncrypt] How To in Sophos Firewall

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.


Overview

    This recommended Read reviews different options for obtaining a Let's Encrypt certificate.

    Update

    Update: V21.0 supports Lets Encrypt onboard:  Sophos Firewall v21 Early Access Announcement  
    Note: Make sure your Sophos Firewall time is correct to avoid potential Certificate Trust issues

    UTM has LE Support for WAF (since UTM9.6). However, you can also use LE certificates on Sophos. Many people do not know that you need a small Linux server and 5-10 minutes of your time every three months. You can automate this. 

    First, I want to share LE's "how it works" page. https://letsencrypt.org/how-it-works/

    My Setup

    Internet - Sophos - Ubuntu 20.04 LTS
    Ubuntu has "certbot" installed. Feel free to use other LE modules.
    https://certbot.eff.org/ https://certbot.eff.org/lets-encrypt/ubuntubionic-apache
    Follow straight the Guide for your OS. I am relying fully on those apps for the renewal process.  

    Next, I am choosing the HTTP-01 method for LE, so I need a DNAT for LE to my Ubuntu.

     (V18). 

    PS: I am using HTTP DNAT for the renewal process and will deactivate those rules afterward. But you can also use only the LE IPs: 
    https://community.letsencrypt.org/t/can-i-get-list-ip-from-letsencrypt/57117
    PS2: As explained in this Community thread, you could switch to the DNS validation.  

    The next step would be to check your Domain. Your DNS A-Record should point to your WAN IP. Otherwise, this process won’t work. 
    So perform a dig / nslookup of your domain. It’ll point to your WAN IP, so your DNAT will work, and HTTP packets will be forwarded to Certbot. 
    You can also use the Sophos free DDNS service. https://community.sophos.com/kb/en-us/123126 

    Certbot

    Let us start Certbot and try it. 
    My renewal process is straightforward:


    (Be careful: LE blocks you after a couple of "failed" requests for some time, so check everything.)
    Ultimately, you’ll get four files on your Linux: Public, Chain, Fullchain, and Privatekey Certificates. 

    Upload to Sophos Firewall

    You’ll use this Public and Privatkey certificate. 
    There are a couple of approaches to upload this to Sophos. 

    The first LE Cert can be uploaded. 
    It would be best to use the Public.pem in "Certificate" and the Privatkey in "Private key." 
    PS: you have to rename the Privatkey.pem to Privatkey.key. Otherwise, Sophos won’t take this certificate. 

    Optionally, you can upload the other Chain and fullchain Certificates under Certificate Authorities (Without Private key). 
    Now, you can use this Certificate for WAF/Webadmin. 

    In renewal (each 90 Days), choose a process.

    Automation 

    You can upload the new LE certificate with another Name and replace it in WAF/Webadmin. 
    Or you can "update" the current LE certificate with the new public.pem / private.key. However, for this method, you have to switch to a fallback certificate in WAF/Webadmin because Sophos can't update a currently used certificate.  

    After all, those steps are manually processed every 90 days. 
    You can "script" this if you want to. Basically, upload the certificate to Sophos every 90 Days. 


    Other members of the community have already performed scripts for this.

    If you want to script this, this community can help you if you struggle with a point.
    So kindly open a new thread with your issue with the API, and we’ll try to find a solution. 

    Sophos Factory

    Sophos Factory brings a new Tool to automate Script-based approaches. This means you can easily run a Script like Certbot or Lego in a Sophos Factory environment to generate and upload the certificate to the Sophos Firewall. 

    Sophos Factory offers a free Community Edition. https://community.sophos.com/sophos-factory/ https://community.sophos.com/sophos-factory/b/release-notes-news/posts/get-started-here-sophos-factory-offer-automation-for-all-with-its-free-community-edition

    Within Sophos Factory, it could look like this:

    Each step is a scripting component. Using tools like Lego and Github, the "Pipeline" will run once, generate the certificate, and upload it to the Firewall. 

    Contribution:
     
     https://zerossl.com/free-ssl/#crt Free alternative to this approach
    For the Github script. 
     Thanks for the PHP Script! 
     for a Powershell Script with WAF integration. 
     is for another version of a Powershell script. 




    Added link
    [edited by: emmosophos at 10:47 PM (GMT -8) on 16 Dec 2024]
    • Thanks for your Feedback. I am using Sophos Factory for this use case in a broad scale solution with Wildcard LE Certificates. Factory allows me to do it as a partner as well to push it to all my customers from a single installation.

      This means, you can use Factory for this and other projects as well to publish all different solutions in a new approach. 

      https://docs.refactr.it/docs/

      This looks like the future to me. Doing any automation not based on the firewall, instead on a centralized instance and pushing everything you need to the firewall. 

      __________________________________________________________________________________________________________________

    • This Feature was one of the top ranked Requests in Ideas (rip).

      On every corner in the Forums people ask for it.

      The feature was promised the same time it was for UTM. UTM has it for years now - and XG it is still "on the Roadmap" with no sign of anybody even touching it.

      Just another Feature, the "next gen" does not have - and likely will not get any time soon. 

      Sophos' communication on development and feature implementation in xg is getting to a point where it is embarrassing at best - fraudulent at worst.

    • Why not doing it with Factory for free? I am actually not needing to do WAF LE for any reason, as i am publishing the Wildcard Certs per Factory to all firewalls and other products as well. 

      So if you want to have LE, you could do it by the end of the business day for all your products without any problems. Also the script above should help to lift those limitations for all customers, if needed. 

      __________________________________________________________________________________________________________________

    • Because having to use an external tool is at least one more step as it was with the UTM, where it - apart from accepting new EULAs recently - never made any problems at all.

      For me it is not a critical feature at all, but I can understand everyone that is frustrated that it is still not implemented after years of requesting it. The XG/XGS/Sophos Firewall system is evolving, many things have gotten easier (and some harder) to use. But sometimes it still feels like taking part in a beta program rather than having the "state of the art" product.

      It can't be this hard to implement a silly simple feature like LetsEncrypt the way it was in the good old UTM. Click a checkbox, enter a FQDN and select an interface. "Save and forget about it".

      Regards,

      Kevin

      Sophos CE/CA (XG, UTM, Central Endpoint)
      Gold Partner

    • this - and the usual "will be implemented by next version" answer by Sophos.

      And Factory is a fun toy - if you have a few connected instances.
      but GL implementing and managing 300 Customers with independent Firewalls.

      For me it is not a critical feature. But as we have multiple customers with at least 100 WAF instances using LE-Certs - on over 30 Firewalls, and the current state of missing features in XG's WAF - all those will not migrate to XG, as this would mean to have a separate reverse proxy appliance/vm to replicate what UTM can do

    • Factory is actually a tool to scale up to enterprise customers. It is a tool to work with thousand of customers at once. Did you try out the way factory work? Because you can build a pipeline and use per customer own creds and reuse the pipeline 300 times - No worries. So it would be possible to do this 300 times and much more. I am seeing factory as the new way of intergrating and working as a partner and every partner should invest time into this way of working compared to "the old fashion way". 

      LE is not be part of the near future roadmap. There is no commitment to do it in the next version by any means. Customers are looking into buying a cheap wildcard cert and use it in the mean time. I would not see WAF certificate management as a blocker for doing a migration for any reason. This is something, which we can easily solve by two ways: Use a tool like factory (customer or partner) or purchase a certificate. This cannot be a blocker for migration - and if it is a blocker, feel free to contact your Sophos sales Rep to discuss the option there. (Maybe a virtual UTM for WAF for example). 

      __________________________________________________________________________________________________________________

    • Thx for saying that Sophos is not listing to there customers. We have 30 Rules on the WAF. Changing the Certificate is a pain. LE would be really great. No, we dont want another system running we have to take care ...

    • At the end of the day, it's just ridiculous that Sophos refuses to add such a simple feature. And your suggestion is to run a virtual UTM? Come on. Most of your competition supports LE and has for awhile. Wildcard certs are not cheap and that is just something else for end users to worry about, when the simple solution is to add the feature.

    • That is not my point. LE is on the backlog but other features are more pressuring to be implemented compared to LE, which is easily replacable.

      BTW: You can easily change it with XML Import/export.

      And as you can see, LE alone would not work - You need a change in the entire certificate management of SFOS ( core ), which means, it needs to replace the certificate completely transparent in all modules. 

      The next question is: Are we going to do the old HTTP integration, which is likely unsecure compared to DNS. So the way to integrate this future proof would be to do the DNS Challenge. DNS Challenge means, you would have to host a own DNS server or support a DNS Service with API hooks. This is the next challenge. 

      Just to give you an overview of the decision making. 

      __________________________________________________________________________________________________________________

    • No, its not easy to do with XML. If you do it regular possible, but not for the normal customer ...