This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Cookie Policy. Click Preferences to customize your cookie settings.
LetsEncrypt integration
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- Tools
- Automation / API
- Automation/API Discussions
- LetsEncrypt integration
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
LetsEncrypt integration
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
07-31-2018 11:43 PM
Hi,
While I know most would use an issued SSL certificate it would be great if PANOS supported LetsEncrypt for requesting SSL certificates for things like the management interface and GlobalProtect.
52 REPLIES 52
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
07-26-2019 12:07 AM
Just to add to the thread.
Yes I would like to use letsencrypt with PA.
No I don't want to manage the certs in PA. why - current management sucks - renew a cert with SAN attributes and they get lost - support tell me thats just how it is and I shouldn't be using the PA for cert management so (double checked with SE ..)
I do like current have a script for auth and distributing certs.
I would mind if somebody here could port the scripts to insert into PA.
By PA I mean Panorama which would then distribute it to the other PA's
so I wouild have a place holder name of say LE1 which could then assign to a PA management interface.
My script would renew the LE1 cert and then insert into PA (via api ?) which would overwrite the current LE1 and then somehow push from panorama to the PA's
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
07-27-2019 10:27 PM
Having this integration would be amazing.
We manage around 100-odd PA-220's for small clients all with GP.
To answer you questions:
1) If you're currently using Let's Encrypt certs with PAN-OS and your workflow does not look like the above, can you briefly describe it?
We aren't using it because of the high maintenance.
2) Is your desired end goal that PAN-OS runs Let's Encrypt natively? If not, what is your desired end goal?
100% Natively would be the goal.
3) In between the end goal and now, would you want a stop-gap solution?
Depends on how complex.
4) If you want a stop-gap solution, what form should it take? A standalone executable / script? Ansible module? Terraform resource? Tie-in to an existing Let's Encrypt client, such as certbot or acme.sh?
Anything - but depends on how complex.
"Here I am, Send me"
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
12-18-2019 09:11 AM - edited 12-18-2019 09:11 AM
any update here?
1) I have a webserver behind the Palo for which I want to enable inbound ssl decryption, I use letsencrypt certs for this.
2.) endgoal is only to not have to reimport the cert into palo every x weeks, an integration into the autocertbot would be good
3) yes
4) standalone script or better tied into certbot
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
12-18-2019 09:46 AM
@panguyen wrote a LetsEncrypt integration for PAN-OS into the acme.sh client. The Pull Request is up for review here:
https://github.com/Neilpang/acme.sh/pull/2614
While the PR is getting reviewed and merged, you can use the integration by simply downloading the deployment file (deploy/panos.sh) into your own acme.sh installation. Here's a link to the file: https://github.com/Neilpang/acme.sh/pull/2614/files#diff-6ca80cd0349982033417d0bcd9b6952e
I know many people use Certbot, but we wanted a solution for internal and external firewalls that could be 100% automated, and we couldn't find a way to do that with Certbot. Acme.sh has many API-based domain verification capabilities that match well with the use case for internal firewall certs and automatic deployment. If anyone knows a viable way to integrate with Certbot, let us know.
Happy to answer any questions, and enjoy your free, auto-deployed firewall certificates!
-Brian
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
12-19-2019 07:03 AM - edited 12-20-2019 02:08 AM
Hi @btorresgil @panguyen @gfreeman
ok, so the deploy of this is done automatically and only when a new cert has been issued...
but this stores a superuser account name and password in cleartext... should be mentioned or better yet store only the api key accessible only by the user executing the command or something like that..
final solution should be somewhat secure, an exposed DMZ-host which might have a vulnerability giving superuser access to the firewall which can then open up access to the rest of the network? 😞
must be a better way
EDIT: giving API access for import and commit seems to be enough (still allows to import new config and gain full access this way but...)... now if it were possible to only store the api-key and store this in a safe way it would at least be an interim solution until something can be created that allows nothing but import certificates 😛
Related Content
- trying to do commit and then push from panorama with a script in Automation/API Discussions
- Integrating XSOAR with Panorama, Checkpoint Smart Log, Fortinent and Cisco firewalls for running automated searches in logs in Automation/API Discussions
- terraform support NGFW VM-Series in the HA pair in Automation/API Discussions
- Xsoar server Integration with cloud mail box in Automation/API Discussions
- Cert Key in Automation/API Discussions
Like what you see?
Show your appreciation!
Click Like if a post is helpful to you or if you just want to show your support.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks