Installing a Let’s Encrypt certificate in a Sophos XD firewall

In this blog I will give you a walkthrough how to install a Let’s Encrypt Certificate in a Sophos XD Firewall. The prerequisite is that you have a split DNS configuration. Inside your network you have a local DNS server which resolves the service name to an internal IP-Address and the service name will be resolved to the official IP-Address of your router.

There are a few easy steps which you have to perform:

  1. Install a linux server which contains a certbot (we will call the server letsencrypt)
  2. Define the service name (sophos.moshous.de in this example) in your split DNS environment
    – to point to the official IP-Address of your router if you resolve the name from the internet
    – to point to the local IP-Address of your Sophos XD firewall
  3. Create the Let’s Encrypt Certificate
    – Forward port 443 on the router to the linux server
    – Create the Let’s Encrypt certificate on the linux server
    – Disable port 443 on the router to the linux server
  4. Upload the certificates to the Sophos XD firewall

So let’s start 😉

1. Install a linux environment including certbot

In this blog I will use a LXC installation of Ubuntu Artful on my turris omnia router to have a clean linux environment.

Log in to your Turris Omnia via ssh and then execute the following command:

root@turris:~# lxc-create -t download -n letsencrypt_artful
Setting up the GPG keyring
Downloading the image index
---
DIST RELEASE ARCH VARIANT BUILD
---
Turris_OS stable armv7l default 2017-12-03
Turris_OS stable ppc default 2017-12-03
Alpine 3.4 armv7l default 2017-12-03
ArchLinux latest armv7l default 2017-12-03
Debian Stretch armv7l default 2017-12-03
Debian Buster armv7l default 2017-12-03
Gentoo stable armv7l default 2017-12-03
openSUSE 42.2 armv7l default 2017-12-03
openSUSE 42.3 armv7l default 2017-12-03
openSUSE Tumbleweed armv7l default 2017-12-03
Sabayon current armv7l default 2017-12-03
Ubuntu Xenial armv7l default 2017-12-03
Ubuntu Zesty armv7l default 2017-12-03
Ubuntu Artful armv7l default 2017-12-03
---

Distribution: Ubuntu
Release: Artful
Architecture: armv7l

Downloading the image index
Downloading the rootfs
Downloading the metadata
The image cache is now ready
Unpacking the rootfs
---
Distribution Ubuntu version Artful was just installed into your container.
Content of the tarballs is provided by third party, thus there is no warranty of any kind.

Now check the installation:

root@turris:~# lxc-ls
letsencrypt_artful  

root@turris:~# lxc-start --name letsencrypt_artful
root@turris:~# lxc-attach --name=letsencrypt_artful
root@LXC_NAME:~# echo "letsencryt" > /etc/hostname
root@LXC_NAME:~# hostname letsencrypt
root@LXC_NAME:~# exit

Reconnect to the container:

root@turris:~# lxc-attach --name=letsencrypt_artful
root@letsencrypt:~# apt-get update
root@letsencrypt:~# apt-get upgrade
root@letsencrypt:~# apt-get install certbot

Now the container is ready for retrieving let’s encrypt certificates.

2. Define the DNS name

The next step is to define the name in the public DNS. My hosting provider enables me to configure the DNS entries for my domain moshous.de.

Now we can check the name resolution using an official DNS server:

root@letsencrypt:~# apt-get install dnsutils
root@letsencrypt:~# dig sophos.moshous.de @9.9.9.9
; <<>> DiG 9.10.3-P4-Ubuntu <<>> sophos.moshous.de @9.9.9.9
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32769
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096

;; QUESTION SECTION:
;sophos.moshous.de. IN A

;; ANSWER SECTION:
sophos.moshous.de. 3600 IN CNAME dyndns.moshous.de.
dyndns.moshous.de. 10 IN A 188.192.102.45

;; Query time: 44 msec
;; SERVER: 9.9.9.9#53(9.9.9.9)
;; WHEN: Sat Dec 09 21:00:08 UTC 2017
;; MSG SIZE  rcvd: 83

This looks fine – next step is to forward port 443 to the linux server.

3. Create the Let’s Encrypt Certificate

Determine the IP-Address of the host letsencrypt:

root@letsencrypt:~# apt-get install net-tools
root@letsencrypt:~# ifconfig eth0
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.178.203  netmask 255.255.255.0  broadcast 192.168.178.255

Next Step is to create a forward rule in the Turris Omnia GUI:

Network->Firewall->Port Forwards -> Add

Make sure that the entry is enabled:

Now we can create the certificate:

root@letsencrypt:~# certbot certonly
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?

-------------------------------------------------------------------------------
1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)
-------------------------------------------------------------------------------

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): xxx@xxx.de

-------------------------------------------------------------------------------
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
(A)gree/(C)ancel: A
-------------------------------------------------------------------------------

Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
-------------------------------------------------------------------------------
(Y)es/(N)o: N

Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c' to cancel): sophos.moshous.de

Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for sophos.moshous.de
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/sophos.moshous.de/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/sophos.moshous.de/privkey.pem
   Your cert will expire on 2018-03-09. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:
   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Now we have a working certificate !

Now please don’t forget to disable the Forward rule again:

The certificates can be found in /etc/letsencrypt/live

/etc/letsencrypt/live
└── sophos.moshous.de
 ├── cert.pem -> ../../archive/sophos.moshous.de/cert1.pem
 ├── chain.pem -> ../../archive/sophos.moshous.de/chain1.pem
 ├── fullchain.pem -> ../../archive/sophos.moshous.de/fullchain1.pem
 └── privkey.pem -> ../../archive/sophos.moshous.de/privkey1.pem

4. Upload the certificates to the Sophos XD firewall

Copy the files cert.pem, fullchain.pem and privkey.pem to your computer and rename privkey.pem to privkey.key.

MacBook-Pro:certs moshous$ scp root@turris:/mnt/sda1/lxc/letsencrypt_artful/rootfs/etc/letsencrypt//live/sophos.moshous.de/*.pem .
cert.pem       100% 1801   923.3KB/s   00:00    
chain.pem      100% 1647   900.6KB/s   00:00    
fullchain.pem  100% 3448     1.6MB/s   00:00    
privkey.pem    100% 1704   880.9KB/s   00:00    

MacBook-Pro:certs moshous$ mv privkey.pem privkey.key

Log into the Sophos XD web interface and navigate to Certificates->Certificate Authorities

Add the Let’s Encrypt chain.pem

After the installation you should see the imported Certificate Chain:

Next navigate to the Certificates:

Add the certificate for sophos.moshous.de by selecting cert.pem and privkey.key:

You should see your certificate installed:

Next step is to select the let’s encrypt certificate for the https connections:

Press Apply and confirm the next popup:

Re-login to the Web Interface and check the certificate:

Congratulation – you successfully installed the let’s encrypt certificate in Sophos XD.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.