Description

Lets Encrypt certificates can be used in cOS Core for example to OneConnect, IKEv2 and HTTPS Management. The certificates are however only valid for only 90 days and needs to be renewed several times per year, which might be a hassle if done manually. Can the update procedure be automated?

Scenario

A third-party reverse proxy, such as Nginx, is set up and configured. On that host, Certbot is configured to handle certificates for one or several domains. One of these certificates is configured with a domain name used by cOS Core. The IP of the firewall is 192.168.1.1 and the administrator user is named “admin”.

Preparations

The certificate file named fullchain.pem created by certbot contains the full chain with three (3) certificates.

Create three certificate objects under Objects / Key Ring, in this example they will be called MyCert, MyCert_C1 and MyCert_C2.

The first time fullchain.pem needs to be edited (in a text editor), the three certificates split to three files and uploaded to the three separate Key Ring certificate objects (MyCert, MyCert_C1 MyCert_C2). For the domain certificate MyCert the private key from the file privkey.pem also must be uploaded.

The domain certificate, in this example named MyCert, should then be selected as Certificate in cOS Core (under for example HTTPS Remote Management or IPsec Interfaces) and the other two, in this example called MyCert_C1 and MyCert_C2, as Root Certificates.

Solution Using SCP and SSH

From the host that handles the renewal of Lets Encrypt certificates, issue the following commands or include them in a script that is run periodically.

scp fullchain.pem admin@192.168.1.1:certificate/MyCert
scp privkey.pem admin@192.168.1.1:certificate/MyCert

This will upload the certificate file and the private key under the node named MyCert (which must already exist). After the ssh commands the configuration will be changed, but will not be activated and committed.

Note! The exact path of the certificate needs to be specified on the Linux host. Its usually in the format /etc/letsencrypt/live/<your_domain>/fullchain.pem

To also activate the configuration, use ssh:

ssh admin@192.168.1.1 commit
sleep 5
ssh admin@192.168.1.1 activate

Note! From a security perspective, its recommended to not run the script on the host that runs nginx/certbot but rather from a secure zone.

Warning! Automatically activating configurations can be dangerous since all other uncommitted changes also will be committed. One solution to the problem can for example be to only run the script at nights or weekends, and to make sure that uncommitted changes never are left over nights or weekends.

Solution Using cOS Core Built-in Lets Encrypt Handling

As of version 14.00.12 its possible to let cOS Core handle Lets Encrypt certificate updates. See the ACME section in the Admin Guide for more information.

Nginx and Certbot

Nginx: Nginx is a widely-used web server and reverse proxy server. It serves as an intermediary between clients and web servers, managing web traffic.

Certbot: Certbot is an open-source software tool designed to automate the setup and management of SSL/TLS certificates for web servers. It simplifies the process of obtaining and renewing certificates.

Related articles