I'm currently using LE for WebAdmin and UserPortal. Just curious if anyone else is using LE for anything else besides WebAdmin and User Portal? What other configurations can we use Let's Encrypt?
Thanks
I'm currently using LE for WebAdmin and UserPortal. Just curious if anyone else is using LE for anything else besides WebAdmin and User Portal? What other configurations can we use Let's Encrypt?
Thanks
I'm using it for
----------
Sophos user, admin and reseller.
Private Setup:
scorpionking said:
- internal webservers (bash script, that fetches the LE certificate from UTM via the built-in API
Hey Scorpionking,
would you share your bash script, this would solve the problem I m having?
Yeah, but that's a quick and dirty one suitable for my home lab. Use at your own risk!
Source (German): www.matthiaskind.de/.../41-let-s-encrypt-zertifkat-einer-sophos-utm-automatisiert-weiterverarbeiten-bash-script.html
#!/bin/bash
# Fetch Let'sEncrypt cert from UTM and check if different to local.
# If yes, overwrite and reload affected services
# Needs curl, jq and mailutils installed
log="/usr/bin/logger -i -p local0.info -t getcert_utm.sh"
log_dbg="/usr/bin/logger -i -p local0.debug -t getcert_utm.sh"
log_err="/usr/bin/logger -i -p local0.warning -t getcert_utm.sh"
#debug=true
$log "Starting getcert_utm.sh"
utmapiurl="https://<myutm.mydomain.de>:4444/api/objects/ca/host_key_cert/<REF-ID of LE-cert>"
utmapikey="<your API key here>"
# do not use whitespaces or special characters in paths!
curloutfile="/tmp/utm-le-cert_all"
tmpkeyfile="/tmp/utm-le-cert.key"
tmpcertfile="/tmp/utm-le-cert.pem"
# must match the path and certificate name in your apache, dovecot, etc. config
dstkeyfile="/etc/ssl/private/mydomain.de_SAN_LE.key"
dstcertfile="/etc/ssl/mydomain.de_SAN_LE.pem"
# false (if can be used separately) or path to intermediate
intermediateca="/etc/ssl/lets-encrypt-x3-cross-signed.pem"
tmpmailtext="/tmp/mailtext.txt"
mailsubject="LE-Cert-Fetcher on "$(hostname)": "
mailto="<your email address>"
mailresult="Nothing changed"
restartservices=false
# services to restart after certificate change
services="dovecot.service postfix.service nginx.service"
errtext=""
errdetected=false
certsubject=$(/usr/bin/openssl x509 -text -noout -in $dstcertfile |grep -oP '(?<=Subject: )[^,]+')
certvalidity=$(/usr/bin/openssl x509 -text -noout -in $dstcertfile |grep -oP '(?<=Not After : )[^,]+')
echo -e "Hello!\n" > $tmpmailtext
echo -e "This is to inform you about recent changes in our Let's Encrypt certificate with $certsubject:\nValid until: $certvalidity\n" >> $tmpmailtext
$log "Downloading cert from UTM API."
curl -k -X GET --header "Accept: application/json" --header "Authorization: Basic ${utmapikey}" "${utmapiurl}" -o "$curloutfile" > /tmp/getcert_utm_curl 2>&1
if [ $? -eq 0 ]; then
$log "Extracting key and certificate from output."
jq -r '.key' $curloutfile > $tmpkeyfile
res1=$?
jq -r '.certificate' $curloutfile > $tmpcertfile
res2=$?
if [ $res1 -eq 0 ] && [ $res2 -eq 0 ]; then
$log "Comparing new and old files."
diff $tmpkeyfile $dstkeyfile
if [ $? -eq 0 ]; then
$log "Key has not changed."
echo "Key has not changed." >> $tmpmailtext
else
$log "Key has changed. Copying new key."
cp $tmpkeyfile $dstkeyfile
if [ $? -eq 0 ]; then
restartservices=true
mailresult="Key changed"
echo "Key has been exchanged by a newer version." >> $tmpmailtext
else
errdetected=true
errtext=$errtext"Error copying key to destination. "
mailresult="Error"
echo "ERROR copying key to destination" >> $tmpmailtext
fi
fi
if [ $intermediateca != false ]; then
$log "Appending intermediate ca to certificate."
cat $intermediateca >> $tmpcertfile
fi
diff $tmpcertfile $dstcertfile
if [ $? -eq 0 ]; then
$log "Certificate has not changed."
echo "Certificate has not changed." >> $tmpmailtext
else
$log "Certificate has changed. Copying new key."
cp $tmpcertfile $dstcertfile
if [ $? -eq 0 ]; then
restartservices=true
mailresult="Certificate changed"
echo "Certificate has been exchanged by a newer version." >> $tmpmailtext
else
errdetected=true
errtext=$errtext"Error copying certificate to destination. "
mailresult="Error"
echo "ERROR copying certificate to destination" >> $tmpmailtext
fi
fi
if [ "$errdetected" = true ]; then
mailresult="Error"
$log_err "Failure in setting certs: $errtext"
fi
else
mailresult="Error extracting cert"
echo "Could not extract cert or key from output. Check format of output, should be JSON containing .key and .certificate section." >> $tmpmailtext
$log_err "Could not extract cert or key from output. Check format of output, should be JSON containing .key and .certificate section."
fi
else
mailresult="Error getting cert"
echo "Could not connect to $utmapiurl or error in authentication. Check connection and URL settings." >> $tmpmailtext
$log_err "Could not connect to $utmapiurl or error in authentication. Check connection and URL settings."
fi
certdetails=$(/usr/bin/openssl x509 -text -noout -in $dstcertfile)
echo -e "\nBest regards,\nroot\n\n----------\n\nCertificate details:\n\n$certdetails" >> $tmpmailtext
mail -s "${mailsubject}${mailresult}" $mailto < "${tmpmailtext}"
rm "${curloutfile}" "${tmpkeyfile}" "${tmpcertfile}" "${tmpmailtext}"
if [ "$restartservices" = true ]; then
$log "Reloading \"$services\" as some data has changed"
systemctl reload $services
fi
$log "Finished."
#Finished
----------
Sophos user, admin and reseller.
Private Setup:
Well, thank you so much!
I will give it a try also in my home Lab. If you call this a quick and dirty one, then I wouldn't know what to say when you would doing it "right"!?
Looks amazing at a first glance! Keep it rolling, thanks again!
Hi,
Great script! I have one problem though that stops me and that is that the reply to the RestAPI call:
/api/objects/ca/host_key_cert/<REF>
For me does not result in a reply that includes the private key field: 'key', the only fields I get back is:
Did you replace <REF> with the current REF ID of your Let's Encrypt certificate? You can find it by logging in to the REST API with your admin user and then searching for the appropriate _ref in the section "ca/host_key_cert" (choose "ca" in the dropdown menu at the top right).
And have you created an API key in WebAdmin for this script?
Also try the full URL in a browser to verify the result. It should look like this one:
{
"_locked": "",
"_ref": "REF_XxxYyyzZZ",
"_type": "ca/host_key_cert",
"ca": "",
"certificate": "<your cert meta data here>-----BEGIN CERTIFICATE-----<your cert here>-----END CERTIFICATE-----",
"comment": "",
"encrypted": false,
"key": "-----BEGIN PRIVATE KEY-----<private key here>-----END PRIVATE KEY-----",
"meta": "REF_aaAbBBcCC",
"name": "<cert name like in UTM Web Admin>"
}
----------
Sophos user, admin and reseller.
Private Setup:
Yes, I use the corresponding ref as the: REF_XxxYyyzZZ in your example.
All other fields are there and correct. It is only the 'key'-field that does not show up. It does not show up for any of the certificates. I wonder if there is something with regards to permissions or similar.
It is an access problem. If I am using the admin user/password instead when login to https://<sophos>:4444/api/ then I also get access to the key field. I was using a user that was not part of the SuperAdmins-groups. I was reading the UTM-RESTful-API manual and it stated: "Note – This cannot be the admin user. We recommend mapping the token to a user with reduced permissions." So I assumed that one should not be using an accounts in the SuperAdmins-group, but that seems to be the only way forward to get access to the private keys.
Update:
Only way to get access to the key-field (private key) is that the user is added to the SuperAdmin-group. Also I have to delete and create a new API-token after adding the user to the group. Doing these two steps and I finally have access to the key-field. If you know a different way then to use a SuperAdmin-account, please let me know. Thanks again for a great script!
Halloj and welcome to the UTM Community!
Thanks for contributing that important piece of information!
Cheers - Bob
Has anyone also have a powershell script for doing the same and maybe can share this to us?
Hi All.
I have been trying to use scorpionkings script but it does not seem to work for me.
The script seems to fail in getting the cert.
When I run the script I get:
[root@serverone ~]# "/storage/Scripts/GetCertFromFirewall.sh"
unable to load certificate
140446836869008:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:707:Expecting: TRUSTED CERTIFICATE
unable to load certificate
140231396804496:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:707:Expecting: TRUSTED CERTIFICATE
jq: error: Could not open file /tmp/utm-le-cert_all: No such file or directory
jq: error: Could not open file /tmp/utm-le-cert_all: No such file or directory
unable to load certificate
140529080334224:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:707:Expecting: TRUSTED CERTIFICATE
rm: cannot remove ‘/tmp/utm-le-cert_all’: No such file or directory
I opened the livelog on the firewall and got this:
2019:08:29-09:17:52 firewall restd[5483]: [80C549CD05C279AE4BDED51B2607D101|] [ConfdHelper] withConfdConnection Setting StatusUnauthorized: No authentication header found
2019:08:29-09:17:52 firewall restd[5483]: [80C549CD05C279AE4BDED51B2607D101|] Completed GET 401 /api/objects/ca/host_key_cert/REF_VZAwHBxXYPZe in 277.618µs
Has something changed with the API call as the curl command does not seem to match the method of auth in the restapi manual ?
The cert downloads correctley when I use a browser to open the URL (although I auth with User/Pass)
Has anyone any ideas what cuold be the problem ?
Thanks
Hi All.
I have been trying to use scorpionkings script but it does not seem to work for me.
The script seems to fail in getting the cert.
When I run the script I get:
[root@serverone ~]# "/storage/Scripts/GetCertFromFirewall.sh"
unable to load certificate
140446836869008:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:707:Expecting: TRUSTED CERTIFICATE
unable to load certificate
140231396804496:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:707:Expecting: TRUSTED CERTIFICATE
jq: error: Could not open file /tmp/utm-le-cert_all: No such file or directory
jq: error: Could not open file /tmp/utm-le-cert_all: No such file or directory
unable to load certificate
140529080334224:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:707:Expecting: TRUSTED CERTIFICATE
rm: cannot remove ‘/tmp/utm-le-cert_all’: No such file or directory
I opened the livelog on the firewall and got this:
2019:08:29-09:17:52 firewall restd[5483]: [80C549CD05C279AE4BDED51B2607D101|] [ConfdHelper] withConfdConnection Setting StatusUnauthorized: No authentication header found
2019:08:29-09:17:52 firewall restd[5483]: [80C549CD05C279AE4BDED51B2607D101|] Completed GET 401 /api/objects/ca/host_key_cert/REF_VZAwHBxXYPZe in 277.618µs
Has something changed with the API call as the curl command does not seem to match the method of auth in the restapi manual ?
The cert downloads correctley when I use a browser to open the URL (although I auth with User/Pass)
Has anyone any ideas what cuold be the problem ?
Thanks
The plain auth key did not work for me.
It seems that there is an encryption needed.
The following did work for me:
- Open API in Browser
- Open key (via "Try It out" in "GET /objects/ca/host_key_cert/")
- Copy the key given in the "curl"-field (after "Authorization: Basic ")
- Use this token in script
Hi Sebastian,
Sorry I meant to have updated this, I found the problem.
The API Key was not being encoded to base64 before sending to the UTM, The fix was quite easy:-
utmapikey=$(echo -n token:$token | base64)
fullutmapiurl=$utmapiurl$certref
curl -k -X GET --header "Accept: application/json" --header "Authorization: Basic ${utmapikey}" "${fullutmapiurl}" -o "$curloutfile" > /tmp/getcert_utm_curl 2>&1
Jeff