Thanks everyone who contributed to this thread. It has been valuable to me figuring out how to upload the Let's Encrypt certificates from my Synology NAS to Sophos XG. Here's how it is done.
Enable API (optionally create a special API Administration user) as described here: https://community.sophos.com/kb/en-us/132560
On your Synology NASfollow the instructions for Let's Encrypt here and include your firewall's fqdn as a subject alternative name: https://www.synology.com/en-global/knowledgebase/DSM/help/DSM/AdminCenter/connection_certificate
Then create this XML file, e.g. in your home directory:
<?xml version="1.0" encoding="UTF-8"?><Request APIVersion="1702.1"><!-- API Authentication --><Login><Username>apiuser</Username><Password>randompw</Password></Login><Set operation="add"> <Certificate> <Action>UploadCertificate</Action> <Name>yourdomain</Name> <CertificateFormat>pem</CertificateFormat> <CertificateFile>yourdomain.pem</CertificateFile> <PrivateKeyFile>yourdomain.key</PrivateKeyFile> </Certificate></Set></Request>
Under Control Panel, Task Scheduler, create the following User-defined script as Scheduled Task, that runs as User root.
/bin/curl -F "reqxml=</var/services/homes/youruser/updatecertificate.xml" -F "file=@/usr/syno/etc/certificate/system/default/cert.pem;filename=yourdomain.pem" -F "file=@/usr/syno/etc/certificate/system/default/privkey.pem;filename=yourdomain.key" -k https://yourfirewall:4443/webconsole/APIController
Click "Run" to test and run it once. You should now have your Synology certificate and private key under SYSTEM, Certificates. If that worked, then make the following change in the the XML file: <Set operation="update">
That should be it. From now on your firewall should be certified by Let's Encrypt and updated timely with renewed certificates. I run the task weekly on Sunday morning.
I have finally got this setup. The add worked properly but when the update executes every Sunday I get this output
<?xml version="1.0" encoding="UTF-8"?><Response APIVersion="1702.1" IPS_CAT_VER="1"> <Login> <status>Authentication Successful</status> </Login> <Certificate transactionid=""> <Status code="500">Operation could not be performed on Entity.</Status> </Certificate></Response>
Any ideas on what I am doing wrong. I have confirmed that I have changed the operation from add to update.
So basically you can add with your script a Certificate, but you cannot update it?
As far as i know, you cannot "overwrite" the used Certificate. Because it is loaded in different places by XG.
What you have to do, would be reupload the certificate with different namens and change those uses in each place, you like.
The 'Set operation="update"' works fine for me. This is the output that I see at the weekly update:
<?xml version="1.0" encoding="UTF-8"?><Response APIVersion="1702.1" IPS_CAT_VER="1"> <Login> <status>Authentication Successful</status> </Login> <Certificate transactionid=""> <Status code="200">Configuration applied successfully.</Status> </Certificate></Response>
But is the certificate in use with anything? Mine is configured to be used with the portal (admin/user) as well as e-mail. Are you doing anything manually on Sunday's? Just want to make sure I am not missing anything.
Yes, it's in use and selected in SYSTEM, Administration, Admin settings. Not performing any manual action, this just works as described.
Maybe you can find out more by checking the log files?
Ok, found the issue. It appears to have been a permissions issue. All fixed and running properly
Can you elaborate on the permission issue? I'm having the same problem