rklomp / sophos-utm-letsencrypt Goto Github PK

View Code? Open in Web Editor NEW

73.0 15.0 21.0 15 KB

Home Page: https://community.sophos.com/products/unified-threat-management/f/57/t/79641

Python 100.00%

sophos-utm-letsencrypt's Introduction

This repo is obsolete since Let's Encrypt is now a supported feature

https://community.sophos.com/kb/en-us/132940

sophos-utm-letsencrypt

Backup!

Before you start make a backup of your configuration in case something goes wrong or the wrong certificate is overwritten.

Install Verification CA Certificate

Download the let's encrypt intermediate certificate https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem

Install it as Verification CA via webadmin (Webserver Protection -> Certificate Management -> Certificate Authority -> New CA...)

I have named it "Let’s Encrypt Authority X3", but you can give it any name you want.

This certificate is then served by the Web Application Firewall when a Let's Encrypt certificate is used to complete the certificate chain and provide better acceptance of the Let's Encrypt certificate.

Get all Files

SSH to you Sophos UTM and then download everything needed:

sudo su -
cd /root
wget https://raw.githubusercontent.com/srvrco/getssl/master/getssl --no-check-certificate
wget https://raw.githubusercontent.com/rklomp/sophos-utm-letsencrypt/master/update-cert --no-check-certificate
wget http://web.mit.edu/crypto/openssl.cnf
chmod +x getssl
chmod +x update-cert

Find the certificate reference

Use an existing certificate entry to overwrite, or generate a new one in the webgui (Webserver Protection -> Certificate Management -> Add Certificate...). Using the VPN ID type "Hostname". Assign this certificate to your virtual webserver.

Get certificate Reference using confd-client:

#/usr/local/bin/confd-client.plx
127.0.0.1 MAIN > OBJS
Switched to OBJS mode.
127.0.0.1 OBJS > ca
127.0.0.1 OBJS ca > host_key_cert
127.0.0.1 OBJS ca host_key_cert >

pres tab twice to show the list of all certificates

from the list find the certificate you want to write the Let's Encrypt certificate in. Copy everything upto the [ sign. We will use this reference in the next step

For example REF_CaHosLetsEncryp[Let's Encrypt,ca,host_key_cert]

The reference to use is: REF_CaHosLetsEncryp

Create config

Create default config files. If you get a curl error, make sure your firewall is not blocking outbound (IPv6) traffic.

./getssl -c yourdomain.com

Edit the config files

vi ~/.getssl/getssl.cfg

Set ACCOUNT_EMAIL and SSLCONF

ACCOUNT_EMAIL=<your email>
SSLCONF="/root/openssl.cnf"

Edit the domain specific config file

vi ~/.getssl/yourdomain.com/getssl.cfg

Set RELOAD_CMD; use your domain and the reference you looked up earlier

RELOAD_CMD="/root/update-cert yourdomain.com REF_CaHosLetsEncryp"

Set ACL; The directory where to copy acme challenge file to. This should be the server that is serving the yourdomain.com webpages. Also create the folder on the server and test if http://yourdomain.com/.well-known/acme-challenge/ is reachable and if you can ssh from the UTM to the server. Maybe you need to add a firewall rulle to allow traffic.

ACL=('ssh:<user>@<server>:/var/www/.well-known/acme-challenge')

Note: If you use SSH you need to create a ssh-key using ssh-keygen and copy it to your server ssh-copy-id <user>@<server>

Tip: If you cannot copy the file to the server serving this domain you can copy it to another server and use Site Path Routing for path /.well-known/acme-challenge/ to this other server.

Tip2: Using FTP is also possible, see the example in the config file, but an FTP excutable is not available by default on the Sophos UTM.

Finally comment out or edit the SANS parameter, it could contain some additional (unwanted) domains. All domains should be resolvable from the outside and have a line in ACL. So for example if the SANS in the yourdomain.com config is set to SANS=sub.yourdomain.com the ACL shoud contain two lines, one for the server serving yourdomain.com and one for the server serving sub.yourdomain.com.

ACL=('ssh:<user>@<server1>:/var/www/.well-known/acme-challenge'
'ssh:<user>@<server2>:/var/www/.well-known/acme-challenge')

Test it!

Testing time...

./getssl -f yourdomain.com

If everything works correct and your website now uses the new certificate you can continue. If not.. solve it ;)

Note: This is a test certificate that is not a valid signed certificate. The certificate is issued by "fake LE intermediate x1". The next step will make sure you will get a valid signed certificate.

Tip: getssl supports the -d parameter to show debug output

Finish your work

vi ~/.getssl/yourdomain.com/getssl.cfg

Uncomment:

CA="https://acme-v01.api.letsencrypt.org"

Test again:

./getssl -f yourdomain.com

Now you should have a valid certificate!

Make cronjob:

crontab -e

add a line to run daily:

33 0 * * * /root/getssl yourdomain.com

(please use random minute instead of 33)

sophos-utm-letsencrypt's People

Contributors

Stargazers

Watchers

sophos-utm-letsencrypt's Issues

WAF not serving CA

Hi,

in the readme you write i just need to install the CA in Webserver Protection -> Certificate Management -> Certificate Authority. I've done this but the WAF is not serving it with the Let's encrypt certs.

Do u have any additional idea for me?

http://i.imgur.com/g79qNUQ.png

BR Z3nto

acme challenge file doesn't copy to server

Hello,
when i try my config with
./getssl -f example.com
the script doesn't copy the file to the server i defined at ACL.
DOMAIN_CERT_LOCATION
and
DOMAIN_KEY_LOCATION
work.

cc not working

the cc comand in sophos utm terminal is not working?

Error Loading extension section v3_ca

I ran into the error Error Loading extension section v3_ca

I tracked down the error and eventually solved it.

getssl.conf contains the following line

SSLCONF="$(openssl version -d 2>/dev/null| cut -d\" -f2)/openssl.cnf"

which will result in SSLCONF=/etc/ssl/openssl.cnf on my utm. The file contains a

[ v3_ca ]
subjectKeyIdentifier=hash
basicConstraints = CA:true
subjectAltName=${ENV::SUBJECT_ALT_NAME}

which causes the error. The main issue is that your howto downloads openssl.cnf from http://web.mit.edu/crypto/openssl.cnf but this file is not used by getssl at all.

I changed getssl to use the file instead

SSLCONF="/root/openssl.cnf"

update-cert fail

Hello,

i had done the setup and i receive cert from letsencrypt. But the update-cert fails with this error:

rs:/root # ./getssl -f mydomain.de Registering account Verify each domain Verifying mydomain.de mydomain.de is already validated Verification completed, obtaining certificate. Certificate saved in /root/.getssl/mydomain.de/mydomain.de.crt The intermediate CA cert is in /root/.getssl/mydomain.de/chain.crt reloading SSL services File "/root/update-cert", line 34 return value.split('/')[-1] ^ IndentationError: expected an indented block getssl: error running /root/update-cert mydomain REF_CaHosmydomainde rs:/root #
Any hints on this?

Sophos UTM doesn't have an FTP client?

I'm running firmware version 9.410-6. I was able to follow your instructions without any problem until I got to setting the ACL. I can't seem to SSH from Sophos to my webserver, so I thought I'd give FTP a shot. No dice. I don't know if it's just my version of UTM, but line 541 of the getssl script errors out with command not found. I dug through everywhere I could think of trying to find an FTP client preinstalled or how to get one on there, but I came up empty.

As for SSH, it always times out. No idea why. I can SSH from other systems just fine.

So, no SSH, no FTP. Any ideas?

Cert Not Being Updated in UTM

Been using this setup for over a year now without issue until tonight. The cert files in /var/storage/chroot-reverseproxy/usr/apache/conf/ssl are not being updated. The Download button in the UTM web UI downloads the old expired cert. The getssl command however appears to be running properly. Just ran it in debug and force mode and saw it check each hostname then call the reload command. End of the output is below.

certdata location = https://acme-v01.api.letsencrypt.org/acme/cert/035cd66baea63a299874e8616ad51b1a1d94
Certificate saved in /root/.getssl/example.com/example.com.crt
The intermediate CA cert is in /root/.getssl/example.com/chain.crt

creating an achive copy of current new certs

purging old GetSSL archives

purging archives in /root/.getssl/example.com/archive/

Certificates obtained and archived locally, will now copy to specified locations
reloading SSL services

running reload command /root/letsencrypt/update-cert example.com REF_xkqbxCAzGrlK
Writing certificate for example.com to object REF_xkqbxCAzGrlK
Bareword found where operator expected at (eval 104) line 1, near "6.Ja"
        (Missing operator before Ja?)
Updating certificate meta to object REF_CaMetCusStgaLatla
Done!
getssl: example.com - certificate obtained but certificate on server is different from the new certificate
fw:/root #

The certificate obtained but certificate on server is different message is not new for me. Happens normally. The Bareword found error is new but only shows up in debug mode.

Once this completes, I can see on the Webserver Protection > Certificate Management > Certificates page in the UTM web UI that the dates for the cert have changed (see below) but when I download the cert or hit the proxied hostname, I'm getting the old expired cert still.

example.com	
VPNId	[Hostname]	example.com
Valid from Sep 10 01:11:17 2018 GMT through Dec 9 01:11:17 2018 GMT
Fingerprint	D5:73:DA:68:45:89:26:54:77:8B:FC:F1:9D:D0:2A:77:F6:C4:0B:3F

Error Loading extension section v3_ca

I'm getting the following on running ./getssl -f example.org.
Real domain replaced.

Any Ideas? the csr file is empty.

firewall:/root/.getssl/example.org # ls -la
total 16
drwxr-xr-x 2 root root 4096 Feb 16 16:50 .
drwxr-xr-x 3 root root 4096 Feb 16 16:51 ..
-rw-r--r-- 1 root root 3046 Feb 16 16:08 getssl.cfg
-rw-r--r-- 1 root root    0 Feb 16 16:50 example.org.csr
-rw------- 1 root root 3243 Feb 16 16:17 example.org.key

firewall:/root # ./getssl -f example.org
creating domain csr - /root/.getssl/example.org/example.org.csr
Error Loading extension section v3_ca
1435629192:error:2206D06C:X509 V3 routines:X509V3_parse_list:invalid null name:v3_utl.c:326:
1435629192:error:22097069:X509 V3 routines:DO_EXT_NCONF:invalid extension string:v3_conf.c:139:name=subjectAltName,section=
1435629192:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:v3_conf.c:93:name=subjectAltName, value=
Registering account
Verify each domain
Verifying example.org
example.org is already validated
Verifying www.example.org
www.example.org is already validated
Verification completed, obtaining certificate.
Error Loading extension section v3_ca
1435629192:error:2206D06C:X509 V3 routines:X509V3_parse_list:invalid null name:v3_utl.c:326:
1435629192:error:22097069:X509 V3 routines:DO_EXT_NCONF:invalid extension string:v3_conf.c:139:name=subjectAltName,section=
1435629192:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:v3_conf.c:93:name=subjectAltName, value=
getssl: Sign failed:   "detail": "Error parsing certificate request. Extensions in the CSR marked critical can cause this error: https://github.com/letsencrypt/boulder/issue

Let's Encrypt to secure UTM admin interface

I want to secure the admin interface as well as the remote user interface with Let's Encrypt. All the steps were successful except the verification process of http://vpn.domain.com/.well-known/...

I added in the ACL something like /root/letsencrypt/vpn.domain.com/.well-known/acme-challenge. But this one is not available through HTTP(S), of course.

How can I fix this?

No Wildcard Support

Hey there,
Seems Sophos added Let'sEncrypt, but so late that ACME v2 came out shortly after, and it doesn't support wildcards. Any way to add wildcard support?

Problems with renewing, Windows Server

Hello,

Not sure if it's a real issue, but maybe someone can help me out.

I followed the tutorial, and the challange can be copied by SSH. But i'm using a Windows server, so I should use the FTP option. But I can't find a tutorial to install a FTP Client to the Sophos UTM firewall.

Can someone help me out?

Remco

crontab entry not working

I received an email from the LetsEncrypt.com guys warning me that my certs were expiring. Logged into my firewall and ran crontab -e and the entry was there but when I ran the command manually, it needed to update things. Should we instead be adding a /etc/crontab.letsencrypt file? I wonder if cron on UTM is really pulling in user crontabs.

[understanding] http://yourdomain.com/.well-known/acme-challenge/ reachable

I dont quite understand what is ment with the website http://yourdomain.com/.well-known/acme-challenge/ must be reachable from the utm. Do I have to install a webserver on the target machine for the domain and serve this website?
Because I want to have only subdomains which point to a nextcloud and a collabora docker container.

Domain Issue

I'm very new to Sophos and certificates but looking in the guide where it says "domain.com" what do I put their, do I put my Sophos router IP or what?

Index out of range

Dear sir. Lately I've been receiving this error when performing ./getssl -f I've never had this issue before recently. Not sure if it's just me, but thought I should let you know. All of my configs look right (they haven't changed).

reloading SSL services
Traceback (most recent call last):
  File "/root/update-cert", line 119, in <module>
    main()
  File "/root/update-cert", line 108, in main
    if (len(sys.argv[3]) > 1):
IndexError: list index out of range
getssl: error running /root/update-cert <domain> REF_<ref>