LetsEncrypt integration

Showing results for 
Show  only  | Search instead for 
Did you mean: 

LetsEncrypt integration

L1 Bithead



While I know most would use an issued SSL certificate it would be great if PANOS supported LetsEncrypt for requesting SSL certificates for things like the management interface and GlobalProtect.




I am just setting up LetsEncrypt certificates for a small Global Protect deployment and use pretty much the method that you suggest.  I use a separate linux box to handle the certificate creation and renewal and have an upload script to upload the certificate via the api with a simple curl command.


This however does not currently work as the certificate gets imported via the API without the private key.  If I use the web GUI, the certificate works fine, complete with the private key - is this a bug?


Native LE support would be great, however at least being able to upload the cert via the API would make life a lot easier (assuming that I am not just doing something wrong!).



Doh!  Just found the private-key API import command and realised that you have to import the cert first and then the private key afterwards!  I assumed it was a single step process...

1) The above is accurate for us.

2) No, having Terraform and Ansible support to manage certificates would be a better option in my opinion. If you integrate Lets Encrypt directly on the OS then that fixes cert management for LE users but not users of other CAs. If you had modules for Terraform and Ansible, that would cover all users and not just LE users. Or support LE natively but also have cert management modules.

3/4) No, we have a working solution.


EDIT: If you do integrate LE directly, please support all validation methods and don't limit it to just one.


@gfreeman wrote:

So here's the questions I have:


1) If you're currently using Let's Encrypt certs with PAN-OS and your workflow does not look like the above, can you briefly describe it?

2) Is your desired end goal that PAN-OS runs Let's Encrypt natively?  If not, what is your desired end goal?

3) In between the end goal and now, would you want a stop-gap solution?

4) If you want a stop-gap solution, what form should it take?  A standalone executable / script?  Ansible module?  Terraform resource?  Tie-in to an existing Let's Encrypt client, such as certbot or acme.sh?


Thanks in advance for the feedback!


1.  We run dehydrated on a Linux station that runs once a week and updates certs for our firewalls, panorama, and GlobalProtect portal domains.  We use a self-signed CA root cert for GlobalProtect clients.  (We run dehydrated on another Linux system that updates the cert on 50-odd Linux servers for use with Webmin, Apache, Lighttpd, CUPS, 3Ware GUI etc, automatically.)


2.  Having a way to script the uploads of the certs into Panorama for pushing out to the firewalls, and into the GP Portal would be handy, and save the 10-15 minutes I spend every 60-odd days doing it manually. 🙂  (No, I haven't looked into the XML API as yet, it's on the Todo list, though.)


3. and 4.  See 2. above.

@WTSU wrote:

Doh!  Just found the private-key API import command and realised that you have to import the cert first and then the private key afterwards!  I assumed it was a single step process...

Oooh, that's helpful.  Now I have some reading to do to get our LE setup fully-automated.  😄

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!