07-31-2018 11:43 PM
Hi,
While I know most would use an issued SSL certificate it would be great if PANOS supported LetsEncrypt for requesting SSL certificates for things like the management interface and GlobalProtect.
02-10-2021 05:40 PM
Wouldn't this be the same as the Global protect interfaces - Portal and gateway.
Just a function to can apply to some interface ?
Why does it have to be the management interface ?
A
06-01-2021 10:47 AM - edited 06-01-2021 11:39 AM
OK Since this is something that would really be nice to have I tried something new today and it seems promising. Here are the details:
step 0: GP external portal/gateway - working but cannot get valid cert for this using let's encrypt
step 1: configure/setup internal portal/gateway
step 2: install nginx proxy manager on something
step 3: setup proxy host to use your external domain to forward to GP internal IP address (i.e. 192.168.whatever:443)
step 4: setup NAT and security policies to allow port 80 and 443 inbound to your nginx proxy manager host
step 5: test it... you should be able to hit your internal VPN portal from the internet using your domain name
step 6: use nginx proxy manager to auto-generate a let's encrypt cert - this is where I have a problem, for me I get an error and cannot get the cert to generate, i have been trying to troubleshoot this but so far no luck... but I think I have 90% of the way there and this *should* work but something is wonky with the cert fetching process in the nginx proxy manager container
EDIT:
It works! for some reason I put 443 in my Destination NAT policy, I must have been still waking up this morning. After removing that and making sure the security policy allows 80 and 443 the proxy manager grabbed a cert and I have a valid chain on the VPN portal now, this should auto renew going forward
11-16-2021 05:47 AM
Hi @gfreeman could you give us a feedback about the status of a possible lestencrypt integration?
Our company want to have this feature on our PANOS and PANORAMA devices because of the following reasons:
- global protect portal/gateway integration
- SSL decrypt profiles
- Webadmin interface certificates
with a integration of the letsencrypt certificates native on PANOS will be a advantage in maintaining the certificates automaticly.
Cheer
Andy
11-25-2021 01:08 PM
Since opening this query to the community, Palo Alto Networks has integrated with the acme.sh script to import the certificates created.
Coming in the next release of the Terraform provider, there will also be a resource to do certificate imports, tho if you're already using the acme.sh to import the certificate you likely won't use this new resource.
01-26-2022 08:53 PM
Fortinet supports it natively. Palo?
01-26-2022 09:26 PM
@gfreeman does it do the commit as well ?
can you extract the pluigin and use it outside of acme
02-17-2022 02:17 AM
@Alex_Samadthe panos.sh is freely available on acme github with all other deploy scripts, you can copy it and modify it to your needs to use it outside of acme.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
