Thanks everyone who contributed to this thread. It has been valuable to me figuring out how to upload the Let's Encrypt certificates from my Synology NAS to Sophos XG. Here's how it is done.
Enable API (optionally create a special API Administration user) as described here: https://community.sophos.com/kb/en-us/132560
On your Synology NASfollow the instructions for Let's Encrypt here and include your firewall's fqdn as a subject alternative name: https://www.synology.com/en-global/knowledgebase/DSM/help/DSM/AdminCenter/connection_certificate
Then create this XML file, e.g. in your home directory:
<?xml version="1.0" encoding="UTF-8"?><Request APIVersion="1702.1"><!-- API Authentication --><Login><Username>apiuser</Username><Password>randompw</Password></Login><Set operation="add"> <Certificate> <Action>UploadCertificate</Action> <Name>yourdomain</Name> <CertificateFormat>pem</CertificateFormat> <CertificateFile>yourdomain.pem</CertificateFile> <PrivateKeyFile>yourdomain.key</PrivateKeyFile> </Certificate></Set></Request>
Under Control Panel, Task Scheduler, create the following User-defined script as Scheduled Task, that runs as User root.
/bin/curl -F "reqxml=</var/services/homes/youruser/updatecertificate.xml" -F "file=@/usr/syno/etc/certificate/system/default/cert.pem;filename=yourdomain.pem" -F "file=@/usr/syno/etc/certificate/system/default/privkey.pem;filename=yourdomain.key" -k https://yourfirewall:4443/webconsole/APIController
Click "Run" to test and run it once. You should now have your Synology certificate and private key under SYSTEM, Certificates. If that worked, then make the following change in the the XML file: <Set operation="update">
That should be it. From now on your firewall should be certified by Let's Encrypt and updated timely with renewed certificates. I run the task weekly on Sunday morning.
I have finally got this setup. The add worked properly but when the update executes every Sunday I get this output
<?xml version="1.0" encoding="UTF-8"?><Response APIVersion="1702.1" IPS_CAT_VER="1"> <Login> <status>Authentication Successful</status> </Login> <Certificate transactionid=""> <Status code="500">Operation could not be performed on Entity.</Status> </Certificate></Response>
Any ideas on what I am doing wrong. I have confirmed that I have changed the operation from add to update.
So basically you can add with your script a Certificate, but you cannot update it?
As far as i know, you cannot "overwrite" the used Certificate. Because it is loaded in different places by XG.
What you have to do, would be reupload the certificate with different namens and change those uses in each place, you like.