Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Sophos Firewall: LetsEncrypt with Sophos Firewall and Sophos Factory

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.

Note: Make sure your Sophos Firewall time is correct to avoid potential Certificate Trust issues


Sophos Factory brings a new Tool to automate Script-based approaches. This means you can easily run a Script like Certbot or Lego in a Sophos Factory environment to generate and upload the certificate to the Sophos Firewall. 

Sophos Factory offers a "free" Community Edition.

Within Sophos Factory, it could look like this:

Use the Sophos Factory Community for any Factory Related Questions:  Sophos Factory 

Let us dig deeper into this scenario: 

We’re using Lego to renew the Certificate. Kindly refer to Lego for more information: Lego supports multiple DNS Providers. In this example, we’re using DNS by AWS with the AWS Console Feature of Sophos Factory.

If your DNS Vendor  isn’t supported: 
You can do this with a DNS Redirect Feature of Lego as well: This means, your ACME-Challenge will point to a supported Vendor of Lego. In my example, I am using Route53 by AWS. 

Sophos Factory uses Pipelines to do a job. In this pipeline, we’re installing the tools needed to renew the Wildcard LE Certificate and upload it to the firewall. 

Step1:Firewall Variable

Define the Variable of the Firewall. 

Step2:Lego Repository

Get the Needed repo of Lego (an alternative to Certbot). 


Step3:Extracting Repository

Unzip the repo:

tar xf lego_v4.10.0_linux_386.tar.gz

Step4:Installation and Cloning

Install and clone GO for Lego to run.

git clone
cd update-golang
sudo ./

Step5:Running of Lego and Fetching of LetsEncrypt Certificate

Important: We’re running this with AWS Credentials. 
You must rename the File directory from "saleseng" to your domain name. 

./lego --email="" --domains="*" --dns="route53" -a  run


Step6:Uploading Certificate and replace it everywhere

This step can be a Script based from here:  Sophos Firewall: [LetsEncrypt] How To in Sophos Firewall 

My recommendation would be the following:

Try the renewal and upload it to a Storage of your choice first before you try to automate the entire process. You could also do a renewal process in one step and another pipeline to upload it to the firewall from your storage (Like an S3 bucket). 

Important Notice: Be careful with the initial runs, as an invalid renewal process can block your domain for some hours/days by LetsEncrypt. 

Sophos Factory uses a container approach: This means if you run the renewal and fail to upload it to your storage like a S3 bucket, it’s gone. The Pipeline will be run once, and after the run, all data will be erased by the runner.

Added Note about Time, and Certificates TAGs
[edited by: emmosophos at 4:50 PM (GMT -7) on 13 Oct 2023]