Errors trying to regenerate certificates (Heartbleed mitigation)

Ben, Slikone's trick should still work.  It sounds to me like you have something broken in your configuration or in the software or maybe the site-specific-removed backup was faulty.

I'm confused about what you and William are saying on the issue of certificates.  Normal backups contain CAs and Certificates that will overwrite whatever is in WebAdmin when a normal backup is restored.

Cheers - Bob

If you don't need public resolution, you don't need your own domain name. It certainly makes things easier to do and clarifies things for others.

If you don't want to buy a domain name, you can use one of the free dynamic DNS services (not DynDNS) to get a publicly-resolvable FQDN that you can use as the hostname of your UTM. Don't forget to configure the UTM on the 'DynDNS' tab of 'Network Services >> DNS' to keep your new FQDN updated with your public IP.

For the best of both worlds, get a domain name and then create a CNAME record for utm.domain.org that refers to your dynamic FQDN.

Cheers - Bob

Unfortunately, no, I wasn't able to get it to work and wound up doing a full, re-install from scratch.

As a side note, I really can't stress enough the importance of Bob's rule of having a fully resolvable FQDN.  I wound up using "utm.internal" as my FQDN and still get certificate issues with Outlook trusting my certificate, even though I've added my certificate to Window's certificate store a hundred times.  I don't know if I should have used an FQDN such as "mail.utm.internal" or "www.utm.internal" or if it's because "utm.internal" is not an actual registered domain.  In hindsight, I think I probably should have just bought an actual, registered domain from Godaddy, etc for a few bucks a year and could have saved myself a lot of aggravation and had everything work as it should.  If anyone has any quick suggestions on how to fix this, I'd appreciate it.

Thanks,

- Ben

While an old thread, I ran into this yesterday...

I experienced the error when I re-did my CA - certificate chain of trust and I removed the old CA, imported the new one, and began removing the old certificates from that CA for users, WebAdmin, etc.  Upon trying to import the newly issued certs, I received the error.

I'm not sure of the exact cause, but restoring the configuration backup from the previous night fixed the issue.  Random issues like this is why I have it set to take configuration backups daily, as it makes things so much simpler to fix when something starts acting wonky.

As an FYI for anyone else running into the issue:

• I do not recommend creating certificates on Sophos, due to the lack of customization to the openssl.cnf and the fact Sophos creates certificates and CAs I don't find secure.  

• I recommend utilizing openssl on a PC running Windows or a *nix distro, and here is a pre-built openssl config that includes the relevant commands required at the bottom of the config

Greetings Bob,

I know this is an old thread but I thought it might need some updating now that UTM incorporates Let's Encrypt support.

slickone27 certainly came up with the easiest way but I have a UTM that I worked with Sophos on for months to be able to restore without the site-specific data. It restored fine if you restored a full backup but if you tried to restore without the site-specific data it failed every time. Everything under the sun was tried by me and Sophos. Unfortunately, Sophos was unable to resolve the issue and I finally gave up once they provided a workaround.

I was able to successfully get new certificates on the UTM by following Step 4 in this knowledge base article on Heartbleed: Recommended steps for UTM : https://community.sophos.com/kb/en-us/120851. It took a while but it worked great and I have never experienced any issues.

I am now in a situation where I need to regenerate the certificates on that UTM again and I am prepared to follow the steps in the knowledge base article again but with direct support for Let's Encrypt certificates now being part of the UTM I had to wonder if your caveat in Rulz would no longer apply if Let's Encrypt certificates were were used instead of local certificates?

Curious to know your thoughts.

Hi old friend!

Well, I'm originally a math guy, so I always look for "elegant" configuration solutions - for easy-to-understand and -maintain setups.  I haven't been using the LetsEncrypt solution, but would consider it for a home setup.  I still would prefer for new certs to be consistent in the configuration.  Did I answer your question or did I misunderstand which caveat you were referring to?

Cheers - Bob
PS You have a PM.

Bob,

Upon reading my post I must agree with you that I wasn't clear enough.

I have been using Let's Encrypt certificates on all UTM's I manage including this troublesome UTM. I can totally see where someone of your caliber would not feel the need for using the Let's Encrypt solution but for myself it has been a huge blessing being able to click a few buttons and say goodbye to self signed certificates on the UTMs I manage. They have all renewed without fail until I was forced to make a change to the clients Internet connection on this one UTM.

When I had to switch from one IP to 5 IP's I was not only forced to change IP's but hostname due to my own poor planning by naming the host after the ISP's PTR record name. Obviously having the hostname resolvable in reverse DNS is important for email so I thought that the ISPs PTR record for the IP address would be a good solution. 20/20 hindsight has clearly shown me that it was only a good solution so long as the client maintained that IP address and the ISP didn't change the PTR record.

Due to the above, what I need to do is change the hostname on this UTM. To avoid having to switch the host names in the future I have learned my lesson and will now set hostnames where I control the forward and reverse DNS. Naturally once the hostname is changed it means that certificates need to be regenerated.

Since this problem UTM will not restore from a backup when the site-specific data is removed slickone27's method will not work as the easy solution to regenerate certificates so I must either start from scratch (not a good option since there's a lot of complexity to this UTM's configuration) or use the method Sophos provided as described in the Heartbleed knowledge base article's step 4.

I was all prepared to regenerate the certificates using the Heartbleed knowledge base article method but then it occurred to me...With the use of Let's Encrypt for certificates wouldn't it be unnecessary to regenerate all the certificates following the Heartbleed knowledge base article method since those self signed certificates will not be used anyway and will be replaced with Let's Encrypt certificates?

So since I have been using Let's Encrypt certificates do you suppose it would be possible to simply disable the Let's Encrypt (which deletes all Let's Encrypt related data), change the hostname, and then redo the Let's Encrypt?

Do you believe that would be sufficient as you say in Rulz "to get CAs, certificates, hostname entries, etc. all aligned?"

Finally, this brings us to the caveat. What I was referring to is that I've heard you say if you don't get all this stuff aligned you are asking for trouble.