1) If you're currently using Let's Encrypt certs with PAN-OS and your workflow does not look like the above, can you briefly describe it? 2) Is your desired end goal that PAN-OS runs Let's Encrypt natively? If not, what is your desired end goal? 3) In between the end goal and now, would you want a stop-gap solution? 4) If you want a stop-gap solution, what form should it take? A standalone executable / script? Ansible module? Terraform resource? Tie-in to an existing Let's Encrypt client, such as certbot or acme.sh? 1. We don't use Lets Encrypt certs with PAN-OS currently because it's a pita to manage cert renewal manually as you have to do it every 90 days. We do run certbot on our other web servers, it runs everyday and renew only when cert is near expiring, it also swap out certs and flush apache cache automatically. If there is any error, an email is sent to me. 2. Natively or not, I think making the process automatic and simple is what I would expect. 3. and 4. Yes. it doesn't really matter as long as it can automate the process, or at least automate as much as possible, so that functions in PAN-OS don't fail just because admin forgot to renew the certs. Other comment: Please also make domain ownership validation options flexible as everyone's setup is different. In our case, xyz.com as well as DNS is controlled by headquarter, branchvpn.abc.com and branchvpn2.abc.com are issued to us. We won't be able to prove ownership of xyz.com but branchvpn.abc.com or branchvpn2.abc.com. And we can only use .well-known files method, and not DNS TXT method as we do not control DNS server.
... View more