sophos
sophos copied to clipboard
mmccarn
Error Code 542
Hello,
first, thanks for this great script! I get the error code 542 - I think it means that the certificate is already in use... is there anyway to upload it, if it's active in a firewall rule?
Br sh4d0w4k6
Having the cert active should not cause problems -- while developing the script I created the certificate and certificate authority manually first, then started playing with the script.
Is it possible your result is something else? "542" is not listed in the API docs as a possible result.
In the docs for Sophos Firewall OS 17.5 (the version I'm running) -
Possible results listed for 'create certificate authority'
| Operation | Status | Message |
|---|---|---|
| Add Certificate Authority | 200 | Certificate authority has been uploaded successfully |
| Add Certificate Authority | 500 | Attached certificate authority is invalid. Please choose a valid certificate authority. |
| Add Certificate Authority | 502 | Certificate authority (CA) could not be added. CA with the same name already exists, choose a different name |
| Add Certificate Authority | 503 | Certificate authority (CA) could not be uploaded. CA certificate already exists. Choose another CA |
| Add Certificate Authority | 510 | Failed to upload Certificate Authority. Invalid private key file or password |
| Add Certificate Authority | 541 | Certificate authority file may be corrupt |
| Edit Certificate Authority | 200 | Certificate authority details have been updated successfully |
| Edit Certificate Authority | 500 | Certificate authority details could not be updated |
| Edit Certificate Authority | 502 | Certificate authority (CA) could not be added. CA with the same name already exists, choose a different name |
| Edit Certificate Authority | 503 | Certificate authority (CA) could not be uploaded. CA certificate already exists. Choose another CA |
| Edit Certificate Authority | 504 | Failed to update certificate authority (CA). Since CA is used in HTTPS scanning, you must update all its parameters |
| Edit Certificate Authority | 510 | Failed to upload Certificate Authority. Invalid private key file or password |
| Edit Certificate Authority | 541 | Certificate authority file may be corrupt |
Possible results for 'create or update certificate'
| Operation | Status | Message |
|---|---|---|
| Add Certificate | 200 | Certificate has been generated successfully |
| Add Certificate | 500 | Certificate could not be generated |
| Add Certificate | 502 | Certificate could not be uploaded. Certificate already exists, choose a different certificate |
| Add Certificate | 503 | Failed to generate the certificate. Certificate with identical identification attributes already exists |
| Add Certificate | 510 | Certificate could not be uploaded due to invalid private key or passphrase. Choose a proper key |
| Add Certificate | 541 | Certificate file may be corrupted |
| Update Certificate | 200 | Certificate has been updated successfully |
| Update Certificate | 500 | Certificate could not be updated |
| Update Certificate | 503 | Failed to generate the certificate. Certificate with identical identification attributes already exists |
| Update Certificate | 510 | Certificate could not be uploaded due to invalid private key or passphrase. Choose a proper key |
| Update Certificate | 541 | Certificate file may be corrupted |
Suggestion:
- Create a backup of your device
- Delete any existing certs or certificate authorities related to LetsEncrypt
- Run the script with the 'add' option
- If you still get the error, restore the backup
Hello! Sorry for the late response.
I still get this error, i setup my sophos new. I only get this error if i want do update the certificate. If I remove it from the firewall policy, it's working, otherwise i get the error code 542..
I've reopened the issue.
It appears that if there are WAF rules that use the certificate you want to update the Sophos returns the undocumented error code 542.
(I didn't create any waf rules until after I thought I had the update procedure worked out, so I was not seeing this error).
From https://community.sophos.com/products/xg-firewall/f/network-and-routing/108931/letsencrypt-how-to-in-xg -
You can simply upload the new LE certificate with another Name and replace it in WAF/Webadmin.
Or you can "update" the current LE certificate with new public.pem / privat.key. But for this method, you have to switch to a fallback certificate in WAF/Webadmin, because XG cannot update a certificate, which is currently in use.
I'm not sure how useful it is to update the certificates automatically if we still need to login to the web console to edit the WAF entries in the firewall.
I've just implemented the script and seen the same results. I'm wondering whether we can modify the script here to:
- determine certs in use by WAF rules via the API.
- add a new cert with a unique name (maybe uuid)
- change the WAF rules using the old one to use the new one.
I believe this is possible but I'll look into it. If I have any luck I'll send a pull req.
I looked into this and added code to include the date in the certificate name.
So - we can create a new cert and upload it to the XG.
However, I could not find any API call that would let me change the certificate for a WAF entry - so you would still need to login to the XG and manually change the certificate that gets used by each WAF entry.
Or, referencing your list:
-
determine certs in use I don't know, but I don't see the need.
-
add a new cert with a unique name We can append a date to each new cert like 'mycert-20201022'. (I suppose this might be more useful if I can figure out how to list the expiration date instead of the creationg date - "mycert-exp-yyyymmdd")
-
change the WAF rules My XG will not upgrade beyond 17.5. So far I have found no API call for this version that will allow me to change the certificate in use for an existing WAF entry.
re: 3.
I asked on sophos community as I was unable to make any changes to WAF rules via the API. It appears this is a known bug, to be fixed in 18.0 MR4 so I'll have another look then.
Though it looks like if you're stuck on 17.5, you might be out of luck.
I have updated le2xg.sh to:
- include the certificate creation date in the new cert
- use 'add' by default (since 'update' only works if the certificate is completely unused)
This still leaves you needing to use the XG web interface to change the certificate for your WAF rules in the firewall settings.