Lets Encrypt certificates can be used in cOS Core for example to OneConnect, IKEv2 and HTTPS Management. The certificates are however only valid for only 90 days and needs to be renewed several times per year, which might be a hassle if done manually. Can the update procedure be automated?
A third-party reverse proxy, such as Nginx, is set up and configured. On that host, Certbot is configured to handle certificates for one or several domains. One of these certificates is configured with a domain name used by cOS Core. The IP of the firewall is 192.168.1.1 and the administrator user is named “admin”.
The certificate file named fullchain.pem created by certbot contains the full chain with three (3) certificates.
Create three certificate objects under Objects / Key Ring, in this example they will be called MyCert, MyCert_C1 and MyCert_C2.
The first time fullchain.pem needs to be edited (in a text editor), the three certificates split to three files and uploaded to the three separate Key Ring certificate objects (MyCert, MyCert_C1 MyCert_C2). For the domain certificate MyCert the private key from the file privkey.pem also must be uploaded.
The domain certificate, in this example named MyCert, should then be selected as Certificate in cOS Core (under for example HTTPS Remote Management or IPsec Interfaces) and the other two, in this example called MyCert_C1 and MyCert_C2, as Root Certificates.
Solution Using SCP and SSH
From the host that handles the renewal of Lets Encrypt certificates, issue the following commands or include them in a script that is run periodically.
scp fullchain.pem email@example.com:certificate/MyCert
scp privkey.pem firstname.lastname@example.org:certificate/MyCert
This will upload the certificate file and the private key under the node named MyCert (which must already exist). After the ssh commands the configuration will be changed, but will not be activated and committed.
Note! The exact path of the certificate needs to be specified on the Linux host. Its usually in the format /etc/letsencrypt/live/<your_domain>/fullchain.pem
To also activate the configuration, use ssh:
ssh email@example.com commit
ssh firstname.lastname@example.org activate
Note! From a security perspective, its recommended to not run the script on the host that runs nginx/certbot but rather from a secure zone.
Warning! Automatically activating configurations can be dangerous since all other uncommitted changes also will be committed. One solution to the problem can for example be to only run the script at nights or weekends, and to make sure that uncommitted changes never are left over nights or weekends.
Solution Using cOS Core Built-in Lets Encrypt Handling
This feature is at the time of writing not released, but will be available under the second half of 2023.
Nginx and Certbot
Nginx: Nginx is a widely-used web server and reverse proxy server. It serves as an intermediary between clients and web servers, managing web traffic.
Certbot: Certbot is an open-source software tool designed to automate the setup and management of SSL/TLS certificates for web servers. It simplifies the process of obtaining and renewing certificates.
10 Mar, 2023 core vpn ikev2 windows radius certificate
23 Aug, 2022 core certificate oneconnect ipsec vpn
2 Feb, 2021 core sslvpn macos certificate
21 Feb, 2023 ipsec certificate windows ca core
14 Mar, 2023 core ipsec vpn ikev2 certificate
11 May, 2023 oneconnect certificate howto
2 Dec, 2022 netwall ikev2 windows certificate vpn core