LetsEncrypt integration

Reply
L0 Member

LetsEncrypt integration

Hi,

 

While I know most would use an issued SSL certificate it would be great if PANOS supported LetsEncrypt for requesting SSL certificates for things like the management interface and GlobalProtect.

L4 Transporter

Re: LetsEncrypt integration

Hi Brett_Hobbs,

 

What would you be looking for in a Let's Encrypt integration from the workflow perspective?

 

If you still had to do the certbot renew from some linux box you controlled, then updating the certs on PAN-OS was provided as an Ansible or Terraform module, would that be helpful?

L0 Member

Re: LetsEncrypt integration

Hi,

 

That particular process would not work for us today (possibly in the future).

 

I was thinking that because GlobalProtect would have a DNS A record that having the certbot agent installed on the firewall we could support automatic verification and renewals.

 

MGMT interface woud take some aditional thought to solve either via your below method or some external DNS requirements.

L4 Transporter

Re: LetsEncrypt integration

For everyone that's interested in Let's Encrypt integration with PAN-OS:

 

Hi, my name is Garfield and I work here at Palo Alto Networks in the developer relations team.  I'm wanting to get a feel for the interest and expectations of a Let's Encrypt integration.  I'd very much appreciate anyone who's interested in a Let's Encrypt integration to respond to this thread with some information about their setup and expectations.

 

I'd like to separate this discussion into a few parts:  what integrations today are doing, what can be done to help that in the short term, and what the expectation for the end result could look like.

 

Today:  given that there is currently no native Let's Encrypt client on PAN-OS, people that are using Let's Encrypt certs on PAN-OS today are, to my knowledge, running a client on some (linux) host to renew the certs, then uploading the certs to their PAN-OS.

 

End-goal:  I assume that the desired end-result is that PAN-OS runs Let's Encrypt natively, doing cert renewal automatically behind the scenes.

 

So here's the questions I have:

 

1) If you're currently using Let's Encrypt certs with PAN-OS and your workflow does not look like the above, can you briefly describe it?

2) Is your desired end goal that PAN-OS runs Let's Encrypt natively?  If not, what is your desired end goal?

3) In between the end goal and now, would you want a stop-gap solution?

4) If you want a stop-gap solution, what form should it take?  A standalone executable / script?  Ansible module?  Terraform resource?  Tie-in to an existing Let's Encrypt client, such as certbot or acme.sh?

 

Thanks in advance for the feedback!

 

AKX
L0 Member

Re: LetsEncrypt integration

1) If you're currently using Let's Encrypt certs with PAN-OS and your workflow does not look like the above, can you briefly describe it?

2) Is your desired end goal that PAN-OS runs Let's Encrypt natively?  If not, what is your desired end goal?

3) In between the end goal and now, would you want a stop-gap solution?

4) If you want a stop-gap solution, what form should it take?  A standalone executable / script?  Ansible module?  Terraform resource?  Tie-in to an existing Let's Encrypt client, such as certbot or acme.sh?

 

1. We don't use Lets Encrypt certs with PAN-OS currently because it's a pita to manage cert renewal manually as you have to do it every 90 days. We do run certbot on our other web servers, it runs everyday and renew only when cert is near expiring, it also swap out certs and flush apache cache automatically. If there is any error, an email is sent to me.

 

2. Natively or not, I think making the process automatic and simple is what I would expect.

 

3. and 4. Yes. it doesn't really matter as long as it can automate the process, or at least automate as much as possible, so that functions in PAN-OS don't fail just because admin forgot to renew the certs.

 

Other comment:

Please also make domain ownership validation options flexible as everyone's setup is different.

In our case, xyz.com as well as DNS is controlled by headquarter, branchvpn.abc.com and branchvpn2.abc.com are issued to us.  We won't be able to prove ownership of xyz.com but branchvpn.abc.com or branchvpn2.abc.com. And we can only use .well-known files method, and not DNS TXT method as we do not control DNS server.

 

L0 Member

Re: LetsEncrypt integration

Hi,

 

I am just setting up LetsEncrypt certificates for a small Global Protect deployment and use pretty much the method that you suggest.  I use a separate linux box to handle the certificate creation and renewal and have an upload script to upload the certificate via the api with a simple curl command.

 

This however does not currently work as the certificate gets imported via the API without the private key.  If I use the web GUI, the certificate works fine, complete with the private key - is this a bug?

 

Native LE support would be great, however at least being able to upload the cert via the API would make life a lot easier (assuming that I am not just doing something wrong!).

 

 

L0 Member

Re: LetsEncrypt integration

Doh!  Just found the private-key API import command and realised that you have to import the cert first and then the private key afterwards!  I assumed it was a single step process...

L0 Member

Re: LetsEncrypt integration

1) The above is accurate for us.

2) No, having Terraform and Ansible support to manage certificates would be a better option in my opinion. If you integrate Lets Encrypt directly on the OS then that fixes cert management for LE users but not users of other CAs. If you had modules for Terraform and Ansible, that would cover all users and not just LE users. Or support LE natively but also have cert management modules.

3/4) No, we have a working solution.

 

EDIT: If you do integrate LE directly, please support all validation methods and don't limit it to just one.

 

L4 Transporter

Re: LetsEncrypt integration


@gfreeman wrote:

So here's the questions I have:

 

1) If you're currently using Let's Encrypt certs with PAN-OS and your workflow does not look like the above, can you briefly describe it?

2) Is your desired end goal that PAN-OS runs Let's Encrypt natively?  If not, what is your desired end goal?

3) In between the end goal and now, would you want a stop-gap solution?

4) If you want a stop-gap solution, what form should it take?  A standalone executable / script?  Ansible module?  Terraform resource?  Tie-in to an existing Let's Encrypt client, such as certbot or acme.sh?

 

Thanks in advance for the feedback!

 


1.  We run dehydrated on a Linux station that runs once a week and updates certs for our firewalls, panorama, and GlobalProtect portal domains.  We use a self-signed CA root cert for GlobalProtect clients.  (We run dehydrated on another Linux system that updates the cert on 50-odd Linux servers for use with Webmin, Apache, Lighttpd, CUPS, 3Ware GUI etc, automatically.)

 

2.  Having a way to script the uploads of the certs into Panorama for pushing out to the firewalls, and into the GP Portal would be handy, and save the 10-15 minutes I spend every 60-odd days doing it manually. :)  (No, I haven't looked into the XML API as yet, it's on the Todo list, though.)

 

3. and 4.  See 2. above.

L4 Transporter

Re: LetsEncrypt integration


@WTSU wrote:

Doh!  Just found the private-key API import command and realised that you have to import the cert first and then the private key afterwards!  I assumed it was a single step process...


Oooh, that's helpful.  Now I have some reading to do to get our LE setup fully-automated.  :D

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!