LetsEncrypt integration

cancel
Showing results for 
Search instead for 
Did you mean: 

LetsEncrypt integration

L1 Bithead

Hi,

 

While I know most would use an issued SSL certificate it would be great if PANOS supported LetsEncrypt for requesting SSL certificates for things like the management interface and GlobalProtect.

46 REPLIES 46

I wonder if that is by DNS ?

Thanks for your interest. I'm currently writing a how-to which will explain how to get this deploy to run successfully.  To get this to work with out opening ports is to use the acme.sh automatic dnsapi feature.

https://github.com/Neilpang/acme.sh/wiki/dnsapi

 

I have tested this with the CloudFlare option and it works.

Thanks for the info! I have been researching and I believe I am out of luck since I use Google Domains (not gcloud) and they do not have an API. I may have to move to another service to take advantage of the script.

You could export your DNS to GCloud DNS. Then you can leverage the Google Cloud DNS API.

@btorresgil well, its ok for labs as workaround but for production I would expect a role that would be restricted as much as possible so not much damage could be done with that user.

1) If you're currently using Let's Encrypt certs with PAN-OS and your workflow does not look like the above, can you briefly describe it?

 

Not using LE with PAN-OS. 

 

2) Is your desired end goal that PAN-OS runs Let's Encrypt natively? If not, what is your desired end goal?

 

Yes. LE native.

 

3) In between the end goal and now, would you want a stop-gap solution?

 

No thank-you.

 

4) If you want a stop-gap solution, what form should it take? A standalone executable / script? Ansible module? Terraform resource? Tie-in to an existing Let's Encrypt client, such as certbot or acme.sh?

 

No thank-you. Waiting for LE native solution. 

 

Thanks, PLA ☮

L2 Linker

I wanted to share an article I wrote on how to use LetsEncrypt Certs with PAN-OS.

 

Costless, Automated, Trusted Certificates on Palo Alto Networks Firewalls 

L4 Transporter

For me the issue is that if you are running a GP portal on port 80/443 then these methods for getting an LE cert won't work. Even NATing port 80 into another server that will only work when accessed by IP (hostname will try to use https) 

 

Changing the ports that GP runs on is not a very elegant solution. I think having functionality built into PANOS that will take the GP portal into consideration might be helpful. For example in my case it would be nice to have a cert on my lab portal.

I use an LE cert for our GP Portal.  And the Web UI for each firewall.  The only thing we don't use LE certs for is the rest of the GP infrastructure (gateways and clients).  That's all done using the self-signed, trusted ca cert on the portal.

 

We use DNS-based checks for creating the LE certs.  No web server required.  Currently using dehydrated (python script) as it was the first one that I found that supports DNS challenge and hook script support.  Renewing the certs is completely automated.  The only manual part is copying the cert to the firewall, as I haven't gone through all the testing to get it working via the XML API. 

@fjwcashYou may want to check out this article on how to completely automate the renewal process.

 

Costless, Automated, Trusted Certificates on Palo Alto Networks Firewalls 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!