- CheckMates
- :
- Products
- :
- Quantum
- :
- Security Gateways
- :
- Re: letsencrypt.org acme protocol - inbound ssl in...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
letsencrypt.org acme protocol - inbound ssl inspection
I'm wondering if it is possible to automate the renewal and update of certificates that are within an inbound ssl inspection ruleset. It would be nice to take advantage of letsencrypt.org for web certificates. There are some bash scripts available to use but i don't know how to programatically update a ssl certificate on the checkpoint firewalls.
Please advise.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Versions of management prior to R80.40 do not have APIs for HTTPS Inspection policy, either.
Might be possible to script/API this with R80.40 management, but haven't tried personally.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you tried it already? I was also interested on this.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
any new experience with Let's encrypt and automatic cert replacement?
Thanks!
BR Stefan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am not familiar with any specific plans to integrate with Let’s Encrypt.
Customers should engage with their local Check Point office with this requirement.
Employees should engage internally with Solution Center.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Were you ever successful? I tried to use LE for the VPN certificate, and the CP appliance fails because the name on the certificate contains an apostrophe (i.e., Let's Encrypt). Because of that (and CP not fixing the issue), I can't use LE for its certs.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you need LE certificates to be supported, please raise an RFE with your local Check Point team.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
See SR#6-0003485196; the initial issue was not specific to LE, but researching the problem unearthed the problem. I did request that they escalate that portion; I do not know how to see any status of that request.
Thanks.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Does this request belong to you or someone else?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
From what I see, that SR is unrelated to the subject in hands.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, which I said in my first reply to you, "the initial issue was not specific to LE". It was during the support discussion that we attempted other certificates, at which point the deficiency (apostrophes in certificate names) was identified.
Since it seems that you can see the conversation, can you confirm that my request to escalate is in some form of a "please fix/implement" queue? If not, what words need to be said to make that happen?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The SR above is closed. AFAIK, Let's Encrypt certificates are not supported, but if you need an official confirmation of that, please open a TAC request and ask.
If you need Check Point to support them, please open and RFE with your local Check Point representative, as I mentioned already.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
are there any API support to exchange ipsec/RAS certificates ?
I only have the Option via UI, with R82 there came some new APIs, but only for https inspection nothing for ipsec/ras.
Any scripting I do not know on how to start, all gets done via CP Manager GUI.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
APIs for this are present in R82...in the relevant gateway/cluster object
https://sc1.checkpoint.com/documents/latest/APIs/#cli/set-simple-gateway~v2%20
https://sc1.checkpoint.com/documents/latest/APIs/#cli/set-simple-cluster~v2%20