Let's Encrypt used for..

I'm using it for

• Webserver Protection
• SMTP Proxy TLS encryption
• HotSpot Page via HTTPS
• internal webservers (bash script, that fetches the LE certificate from UTM via the built-in API)
• WebAdmin and UserPortal

Very helpful.  Thanks scorpionking

scorpionking said:

 

• internal webservers (bash script, that fetches the LE certificate from UTM via the built-in API

 

Hey Scorpionking,

would you share your bash script, this would solve the problem I m having?

Yeah, but that's a quick and dirty one suitable for my home lab. Use at your own risk!

Source (German): www.matthiaskind.de/.../41-let-s-encrypt-zertifkat-einer-sophos-utm-automatisiert-weiterverarbeiten-bash-script.html

#!/bin/bash

# Fetch Let'sEncrypt cert from UTM and check if different to local.
# If yes, overwrite and reload affected services
# Needs curl, jq and mailutils installed

log="/usr/bin/logger -i -p local0.info -t getcert_utm.sh"
log_dbg="/usr/bin/logger -i -p local0.debug -t getcert_utm.sh"
log_err="/usr/bin/logger -i -p local0.warning -t getcert_utm.sh"
#debug=true
$log "Starting getcert_utm.sh"

utmapiurl="https://<myutm.mydomain.de>:4444/api/objects/ca/host_key_cert/<REF-ID of LE-cert>"
utmapikey="<your API key here>"
# do not use whitespaces or special characters in paths!
curloutfile="/tmp/utm-le-cert_all"
tmpkeyfile="/tmp/utm-le-cert.key"
tmpcertfile="/tmp/utm-le-cert.pem"
# must match the path and certificate name in your apache, dovecot, etc. config
dstkeyfile="/etc/ssl/private/mydomain.de_SAN_LE.key"
dstcertfile="/etc/ssl/mydomain.de_SAN_LE.pem"
# false (if can be used separately) or path to intermediate
intermediateca="/etc/ssl/lets-encrypt-x3-cross-signed.pem"
tmpmailtext="/tmp/mailtext.txt"
mailsubject="LE-Cert-Fetcher on "$(hostname)": "
mailto="<your email address>"
mailresult="Nothing changed"
restartservices=false
# services to restart after certificate change
services="dovecot.service postfix.service nginx.service"
errtext=""
errdetected=false

certsubject=$(/usr/bin/openssl x509 -text -noout -in $dstcertfile |grep -oP '(?<=Subject: )[^,]+')
certvalidity=$(/usr/bin/openssl x509 -text -noout -in $dstcertfile |grep -oP '(?<=Not After : )[^,]+')
echo -e "Hello!\n" > $tmpmailtext
echo -e "This is to inform you about recent changes in our Let's Encrypt certificate with $certsubject:\nValid until: $certvalidity\n" >> $tmpmailtext
$log "Downloading cert from UTM API."
curl -k -X GET --header "Accept: application/json" --header "Authorization: Basic ${utmapikey}" "${utmapiurl}" -o "$curloutfile" > /tmp/getcert_utm_curl 2>&1
if [ $? -eq 0 ]; then
  $log "Extracting key and certificate from output."
  jq -r '.key' $curloutfile > $tmpkeyfile
  res1=$?
  jq -r '.certificate' $curloutfile > $tmpcertfile
  res2=$?
  if [ $res1 -eq 0 ] && [ $res2 -eq 0 ]; then
    $log "Comparing new and old files."
    diff $tmpkeyfile $dstkeyfile
    if [ $? -eq 0 ]; then
      $log "Key has not changed."
      echo "Key has not changed." >> $tmpmailtext
    else
      $log "Key has changed. Copying new key."
      cp $tmpkeyfile $dstkeyfile
      if [ $? -eq 0 ]; then
        restartservices=true
        mailresult="Key changed"
        echo "Key has been exchanged by a newer version." >> $tmpmailtext
      else
        errdetected=true
        errtext=$errtext"Error copying key to destination. "
        mailresult="Error"
        echo "ERROR copying key to destination" >> $tmpmailtext
      fi
    fi
    if [ $intermediateca != false ]; then
      $log "Appending intermediate ca to certificate."
      cat $intermediateca >> $tmpcertfile
    fi
    diff $tmpcertfile $dstcertfile
    if [ $? -eq 0 ]; then
      $log "Certificate has not changed."
      echo "Certificate has not changed." >> $tmpmailtext
    else
      $log "Certificate has changed. Copying new key."
      cp $tmpcertfile $dstcertfile
      if [ $? -eq 0 ]; then
        restartservices=true
        mailresult="Certificate changed"
        echo "Certificate has been exchanged by a newer version." >> $tmpmailtext
      else
        errdetected=true
        errtext=$errtext"Error copying certificate to destination. "
        mailresult="Error"
        echo "ERROR copying certificate to destination" >> $tmpmailtext
      fi
    fi
    if [ "$errdetected" = true ]; then
      mailresult="Error"
      $log_err "Failure in setting certs: $errtext"
    fi
  else
    mailresult="Error extracting cert"
    echo "Could not extract cert or key from output. Check format of output, should be JSON containing .key and .certificate section." >> $tmpmailtext
    $log_err "Could not extract cert or key from output. Check format of output, should be JSON containing .key and .certificate section."
  fi
else
  mailresult="Error getting cert"
  echo "Could not connect to $utmapiurl or error in authentication. Check connection and URL settings." >> $tmpmailtext
  $log_err "Could not connect to $utmapiurl or error in authentication. Check connection and URL settings."
fi
certdetails=$(/usr/bin/openssl x509 -text -noout -in $dstcertfile)
echo -e "\nBest regards,\nroot\n\n----------\n\nCertificate details:\n\n$certdetails" >> $tmpmailtext
mail -s "${mailsubject}${mailresult}" $mailto < "${tmpmailtext}"
rm "${curloutfile}" "${tmpkeyfile}" "${tmpcertfile}" "${tmpmailtext}"
if [ "$restartservices" = true ]; then
  $log "Reloading \"$services\" as some data has changed"
  systemctl reload $services
fi
$log "Finished."

#Finished

Well, thank you so much!

I will give it a try also in my home Lab. If you call this a quick and dirty one, then I wouldn't know what to say when you would doing it "right"!?

Looks amazing at a first glance! Keep it rolling, thanks again!

Did you have any problems? 

I am currently getting this error:

Renewing Let's Encrypt certificate 'UTM Let's Encrypt' has failed.

Reason for failure: An error occurred while communicating with the Let's Encrypt server.

So... we didnt end up using your script. Just wanted to let you guys know that we are doing.

Here on the board somebody suggested to do nothing...... thats the eaysiest way! Loving it!

We keep our current setup were we sign certs per certbots on the linux and windows machines like we used to in the past years per port 80 Sitepath Routing. Now with the 9.6 and Letsencrypt support, we also sign the same name on the UTM. Surprisingly this is supported by Letsencrypt (https://letsencrypt.org/docs/rate-limits/)

Link to the post and answer from Carsten Schild: https://community.sophos.com/products/unified-threat-management/unified-threat-management-beta/sophos-utm-9-6-beta/f/sophos-utm-9-6-public-beta/109075/let-s-encrypt-on-waf-and-internal-servers/395507#395507

Hi,

Great script! I have one problem though that stops me and that is that the reply to the RestAPI call:
/api/objects/ca/host_key_cert/<REF>

For me does not result in a reply that includes the private key field: 'key', the only fields I get back is:

Did you replace <REF> with the current REF ID of your Let's Encrypt certificate? You can find it by logging in to the REST API with your admin user and then searching for the appropriate _ref in the section "ca/host_key_cert" (choose "ca" in the dropdown menu at the top right).

And have you created an API key in WebAdmin for this script?

Also try the full URL in a browser to verify the result. It should look like this one:

{
  "_locked": "",
  "_ref": "REF_XxxYyyzZZ",
  "_type": "ca/host_key_cert",
  "ca": "",
  "certificate": "<your cert meta data here>-----BEGIN CERTIFICATE-----<your cert here>-----END CERTIFICATE-----",
  "comment": "",
  "encrypted": false,
  "key": "-----BEGIN PRIVATE KEY-----<private key here>-----END PRIVATE KEY-----",
  "meta": "REF_aaAbBBcCC",
  "name": "<cert name like in UTM Web Admin>"
}

Yes, I use the corresponding ref as the: REF_XxxYyyzZZ in your example.

All other fields are there and correct. It is only the 'key'-field that does not show up. It does not show up for any of the certificates. I wonder if there is something with regards to permissions or similar.