Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 6 replies
  • Answers 1 answer
  • Subscribers 3 subscribers
  • Views 12638 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to upgrade wildcard certificates on a Virtual Web Server?

TimBoggs

We use wildcard certificates with most of our websites. It has been tedious with Sophos since it tries to be helpful and pulls the domain names from the cert and uses them as the default. We need more granular control of the domain on our virtual webservers, so I delete the defaults and enter the domains I am publishing. The problem is that there is a bug in the Virtual Webserver form that if you expand the "Advanced" option after entering the custom domains, Sophos deletes all custom entries and reverts to the default wildcard domains. Tedious when you forget to expand "Advanced" first.

Anyways, now my wildcard is expiring and I need to upgrade the certificate. I uploaded the new certificate, went to the virtual webserver, selected it and all of my custom domains were once again deleted in favor of the defaults. Luckily I noticed and didn't click save.

So this is a pain when you have lots of domains and virtual web servers in use. Every time you enter this info, you run the risk of typos. Anyone know of a way to work around this "feature" without having to recreate everything?



This thread was automatically locked due to age.
  • 0

    That's a nasty bug, Tim - I hope you've opened a Support ticket and have requested escalation to the developers!

    There may be a command line trick, but you would want Sophos Support to initiate that.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    I opened a ticket when I first started using the wild card to create virtual web servers back in August. I just amended that ticket to include the new scenario. Overall it a feature that hasn't been fully thought out. If I was using a SAN cert or a single site cert, it would be helpful as it would auto-populate my entries. However, even with a SAN cert I could see that you might have a need for more than one Virtual Web Server object to apply different policies to different aspects of the SANs.

    This is the response I received from support in August this year:

     

    Thank you for this ticket that you created based on the Bug you've found.
    I'll be forwarding these information to our Senior Engineers here so they could open up a Bug ID and 
    would investigate on this issue that you have.

  • 0 in reply to TimBoggs

    Thanks, Tim.  Please post the Case # here or PM it to sachinguring along with a link to this thread.

    I think it should be possible to locate the old certificate and CA and simply replace them and other changed information in the relevant REF_s, but I don't know where those might be or if another way would be better.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Thank you.

    This is the case number with the details of the issue: 6417084

  • 0

    Sorry to bump this old one, but I've been looking and haven't found a satisfactory answer to this.  We also run a large number of virtual servers using a wildcard cert, and I'd like to be able to replace the certificate without having to edit each and every virtual server using it (across multiple UTMs), as it just increases the chance of error.

     

    Is there a method to replace a certificate that is currently in use, and have it apply to all services using the existing certificate, without it resetting anything??.

  • 0 in reply to Nick Moyle

    Hi Nick and welcome to the UTM Community!

    There may be a way using RESTful API, but I suspect that it's not possible to replace an existing, in-use cert with one with an identical REF_.

    Depending on the number of Virtual Servers, I might use string operators in a spreadsheet to create lists of cc commands to replace an old cert with a new one in each Virtual Server object.  First, I would need the REF_ of the cert named "Example 1":

    cc get_object_by_name ca host_key_cert 'Example 1'|grep ref

    That would return something like 'ref' => 'REF_CaHosExamp1',

    Then, I would query for the list of Virtual Server REF_s and certificate used:

    cc get_objects reverse_proxy frontend |grep 'certificate\|ref'

    That would return something like:

                            'certificate' => '',
                'ref' => 'REF_RevFroDomain',
                            'certificate' => 'REF_CaHosExamp1',
                'ref' => 'REF_RevFroServeA',
                            'certificate' => 'REF_CaHosExamp1',
                'ref' => 'REF_RevFroServeB',

    I want to replace the "Example 1" cert with the "Example 2" certificate in "Server A" and "Server B":

    cc change_object REF_RevFroServeA certificate REF_CaHosExamp2
    cc change_object REF_RevFroServeB certificate REF_CaHosExamp2

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML