Hi,
I am a Sophos XG user and do like it, but UTM has this feature that support let's encrypt this is really one of the feature Sophos XG not have.
There are a few other features, is there someone who knows if this feature is not the Sophos XG roadmap ? When can we expect this feature ?
If you have a little linux / windows client, you could simply use certbot to get the LE Certificate every 90 days. Needs only couple of minutes each 90 Days.
__________________________________________________________________________________________________________________
I was refering to this https://www.biricon.eu/blog/sophos-utm-9-6-let-s-encrypt-howto-6/post/let-s-encrypt-sophos-utm-9-6-9
Configuring from sophos xg page rather then doing it for every system itself
I was refering to this https://www.biricon.eu/blog/sophos-utm-9-6-let-s-encrypt-howto-6/post/let-s-encrypt-sophos-utm-9-6-9
Configuring from sophos xg page rather then doing it for every system itself
I know, this feature is simply a certbot on the UTM itself.
But you could resolve this by using a certbot on a box behind XG and simply upload the certificate to XG.
Take only 5-10 minutes per 90 Days. So it is possible right now without any needs.
__________________________________________________________________________________________________________________
ok can I automaticly upload the certs to SophosXG from that linux system or must I still do it manually thats just the thing I try to avoid ?
You could write a script if you want to. But to be honest, it takes 4 Clicks on GUI to upload both. You need Key and Cert.
__________________________________________________________________________________________________________________
As true as this might be, on UTM it's now completely set-and-forget and it will work and keep working. And while you say it's a couple of minutes every 90 days (where LE advises to renew every 60 days IIRC) it's still more work than on UTM and it can be forgotten with every nasty consequence....
Lately XG is sooner on incorporating new features, however on this one UTM was first. Would really be nice to also get this feature in XG asap.
Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.
Being considered since April 2017
https://ideas.sophos.com/forums/330219-xg-firewall/suggestions/13368852-let-s-encrypt-integration
Maybe AlanT has an update abot this?
Regards, Jelle
Sophos XG210-HA (SFOS 18.0.4) on SG210 appliances with Sandstorm and 1x AP55
Sophos Central with Intercept X Advanced, Device Encryption, Phish Threat, Mobile Control Advanced
If a post solves your question use the 'This helped me' link.
LuCar Toni said:
Take only 5-10 minutes per 90 Days. So it is possible right now without any needs.
I can't understand this management-decision because Sophos promised to bring all the new Feature on XG first what is not the case here...
Please send me Spam gueselkuebel@sg-utm.also-solutions.ch
You could simply build a script which renews the certificate by opening a DNAT via API, starts certbot, generate the certificate, rename the privat key file to .key and upload both files via API to XG.
This would be the use case in bigger environments, if you are not willing to buy a certificate.
Script would be something on a linux server like:
Checking validation time of current Certificate (check for example the webadmin cert).
Open via API the DNAT rule to Linux port 443 / 80.
Start Certbot --renewal
Rename the privat key to .key to get a valid file for upload.
Upload the certificate with privat key via API to XG and name it "%Domain%+%date%".
Use API to switch the Certificate to this certificate.
Check the new certificate via openTLS.
Disable DNAT via API.
__________________________________________________________________________________________________________________
LuCar Toni said:You could simply build a script which renews the certificate by opening a DNAT via API, starts certbot, generate the certificate, rename the privat key file to .key and upload both files via API to XG.
This would be the use case in bigger environments, if you are not willing to buy a certificate.
Script would be something on a linux server like:
Checking validation time of current Certificate (check for example the webadmin cert).
Open via API the DNAT rule to Linux port 443 / 80.
Start Certbot --renewal
Rename the privat key to .key to get a valid file for upload.
Upload the certificate with privat key via API to XG and name it "%Domain%+%date%".
Use API to switch the Certificate to this certificate.
Check the new certificate via openTLS.
Disable DNAT via API.
Could you build such script and write a how-to so we can setup auto renew certificates on Sophos XG until Sophos XG support it like UTM ?
Would suggest to do it at your own. There are X ways to archive this. And after all it depends on your preferred language.
__________________________________________________________________________________________________________________
LuCar you completely missed the point. It should be automated as it is in SG, and don't make me get on my soap box about how the certificate authorities and how much they charge for something DV certs... EV certs are a different story, they are worth something (IF the CA actually does some investigating and background checks...) DV should be free. There is almost never human intervention with a DV cert from a CA.
I digressed, back to the point.
Type up all the examples you want about how to get and install a LE certificate, they (the examples you provided) still require my time to intervene. It shouldn't. I am in the process of switching a customer from SG to XG and when I was looking for this feature, and when I found out its not available in XG, well, it makes me mad.
It is in SG, and it is simple to implement, so why is it not in XG?
There are enough glaring shortcomings in XG, but I guess we can add another one to the list.
Gotta be honest, this would have been a deal breaker if I had known. I would have stayed with SG.
