This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to upgrade wildcard certificates on a Virtual Web Server?

We use wildcard certificates with most of our websites. It has been tedious with Sophos since it tries to be helpful and pulls the domain names from the cert and uses them as the default. We need more granular control of the domain on our virtual webservers, so I delete the defaults and enter the domains I am publishing. The problem is that there is a bug in the Virtual Webserver form that if you expand the "Advanced" option after entering the custom domains, Sophos deletes all custom entries and reverts to the default wildcard domains. Tedious when you forget to expand "Advanced" first.

Anyways, now my wildcard is expiring and I need to upgrade the certificate. I uploaded the new certificate, went to the virtual webserver, selected it and all of my custom domains were once again deleted in favor of the defaults. Luckily I noticed and didn't click save.

So this is a pain when you have lots of domains and virtual web servers in use. Every time you enter this info, you run the risk of typos. Anyone know of a way to work around this "feature" without having to recreate everything?



This thread was automatically locked due to age.
Parents
  • Sorry to bump this old one, but I've been looking and haven't found a satisfactory answer to this.  We also run a large number of virtual servers using a wildcard cert, and I'd like to be able to replace the certificate without having to edit each and every virtual server using it (across multiple UTMs), as it just increases the chance of error.

     

    Is there a method to replace a certificate that is currently in use, and have it apply to all services using the existing certificate, without it resetting anything??.

Reply
  • Sorry to bump this old one, but I've been looking and haven't found a satisfactory answer to this.  We also run a large number of virtual servers using a wildcard cert, and I'd like to be able to replace the certificate without having to edit each and every virtual server using it (across multiple UTMs), as it just increases the chance of error.

     

    Is there a method to replace a certificate that is currently in use, and have it apply to all services using the existing certificate, without it resetting anything??.

Children
  • Hi Nick and welcome to the UTM Community!

    There may be a way using RESTful API, but I suspect that it's not possible to replace an existing, in-use cert with one with an identical REF_.

    Depending on the number of Virtual Servers, I might use string operators in a spreadsheet to create lists of cc commands to replace an old cert with a new one in each Virtual Server object.  First, I would need the REF_ of the cert named "Example 1":

    cc get_object_by_name ca host_key_cert 'Example 1'|grep ref

    That would return something like 'ref' => 'REF_CaHosExamp1',

    Then, I would query for the list of Virtual Server REF_s and certificate used:

    cc get_objects reverse_proxy frontend |grep 'certificate\|ref'

    That would return something like:

                            'certificate' => '',
                'ref' => 'REF_RevFroDomain',
                            'certificate' => 'REF_CaHosExamp1',
                'ref' => 'REF_RevFroServeA',
                            'certificate' => 'REF_CaHosExamp1',
                'ref' => 'REF_RevFroServeB',

    I want to replace the "Example 1" cert with the "Example 2" certificate in "Server A" and "Server B":

    cc change_object REF_RevFroServeA certificate REF_CaHosExamp2
    cc change_object REF_RevFroServeB certificate REF_CaHosExamp2

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA