LetsEncrypt integration

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

LetsEncrypt integration

L1 Bithead

Hi,

 

While I know most would use an issued SSL certificate it would be great if PANOS supported LetsEncrypt for requesting SSL certificates for things like the management interface and GlobalProtect.

52 REPLIES 52

Wouldn't this be the same as the Global protect interfaces - Portal and gateway.

 

Just a function to can apply to some interface ?

 

Why does it have to be the management interface ?

A

L3 Networker

OK Since this is something that would really be nice to have I tried something new today and it seems promising. Here are the details:

 

step 0: GP external portal/gateway - working but cannot get valid cert for this using let's encrypt

step 1: configure/setup internal portal/gateway

step 2: install nginx proxy manager on something

step 3: setup proxy host to use your external domain to forward to GP internal IP address (i.e. 192.168.whatever:443)

step 4: setup NAT and security policies to allow port 80 and 443 inbound to your nginx proxy manager host

step 5: test it... you should be able to hit your internal VPN portal from the internet using your domain name

step 6: use nginx proxy manager to auto-generate a let's encrypt cert - this is where I have a problem, for me I get an error and cannot get the cert to generate, i have been trying to troubleshoot this but so far no luck... but I think I have 90% of the way there and this *should* work but something is wonky with the cert fetching process in the nginx proxy manager container

 

EDIT:

It works! for some reason I put 443 in my Destination NAT policy, I must have been still waking up this morning. After removing that and making sure the security policy allows 80 and 443 the proxy manager grabbed a cert and I have a valid chain on the VPN portal now, this should auto renew going forward

Hi @gfreeman could you give us a feedback about the status of a possible lestencrypt integration?

 

Our company want to have this feature on our PANOS and PANORAMA devices because of the following reasons:

 

- global protect portal/gateway integration

- SSL decrypt profiles

- Webadmin interface certificates

 

with a integration of the letsencrypt certificates native on PANOS will be a advantage in maintaining the certificates automaticly.

 

Cheer

 

Andy

cheers

Andy

L5 Sessionator

Since opening this query to the community, Palo Alto Networks has integrated with the acme.sh script to import the certificates created.

 

Coming in the next release of the Terraform provider, there will also be a resource to do certificate imports, tho if you're already using the acme.sh to import the certificate you likely won't use this new resource.

 

Fortinet supports it natively.   Palo?

 

letsencrypt-fortinet.PNG

L4 Transporter

So does the F5

@gfreeman does it do the commit as well ?

can you extract the pluigin and use it outside of acme

@Alex_Samadthe panos.sh is freely available on acme github with all other deploy scripts, you can copy it and modify it to your needs to use it outside of acme.

  • 59055 Views
  • 52 replies
  • 13 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!