Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Panos deploy-hook to update certs in Panorama Device Template #3519

Closed
StuHare opened this issue May 18, 2021 · 2 comments
Closed

Panos deploy-hook to update certs in Panorama Device Template #3519

StuHare opened this issue May 18, 2021 · 2 comments

Comments

@StuHare
Copy link

StuHare commented May 18, 2021

I have used acme.sh and the panos deploy hook to request and import an LE certificate into the panorama.

Unfortunately this only imports it into the panoramas certificate store and not the cert store for firewall / device template.

Is there a way to use the API/hook to deploy the cert into the device template so it can be committed to each of the managed firewalls within the panorama and added to the firewalls SSL profile?

If not is there a method where we can do this to each firewall, either by defining multiple hosts in panos.sh or perhaps by running multiple shell scripts (e.g. panos-fw1.sh & panos-fw2.sh each with the individual firewalls UN/PWD/Host details)?
@github-cli
Copy link

On Panorama this would require the device template to be able to be specified which with the current script is not possible (though I guess someone could edit the current script to create a new panorama script for this!)
As for deploying this on multiple standalone firewalls... not sure as I am trying to find out the same thing, deploy the cert with several identical (as in type) deploy-hooks, e.g. two different palos

@StuHare
Copy link
Author

StuHare commented Jun 15, 2021
edited
Loading

I managed to resolve this issue by referencing the template in the 'deployer ()' function.

First take a copy of the 'panos.sh' script' before you make any changes.

Define a new variable at the start of the function to set the name of the template - e.g.:

template="Default template"

Then update the content header to include the template and the new name variable under the cert and key 'if' statements, like so:

if [ "$type" = 'cert' ]; then panos_url="${panos_url}?type=import" content="--$delim${nl}Content-Disposition: form-data; name=\"category\"\r\n\r\ncertificate" content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"certificate-name\"\r\n\r\n$_cdomain" content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"key\"\r\n\r\n$_panos_key" content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"format\"\r\n\r\npem" content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"file\"; filename=\"$(basename "$_cfullchain")\"${nl}Content-Type: application/octet-stream${nl}${nl}$(cat "$_cfullchain")" content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"target-tpl\"\r\n\r\n$template" fi

This worked for me, but I am connecting to the PANOS API on the Panorama and not the firewalls, although the same process should apply there too.

@StuHare StuHare closed this as completed Jun 15, 2021
@aSauerwein aSauerwein mentioned this issue Mar 31, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@github-cli @StuHare