Step right up! Step right up!
Looking to update your Panorama Management Certificate with Let's Encrypt? Look no further!
The idea behind this repository is to help with automating the renewal of the management certificate of your Palo Alto Networks Panorama device. At a high level:
- Adds temporary DNS TXT records to your Cloudflare domain.
- Attempts to enroll a certificate through Let's Encrypt
- Uploads the certificate chain to the Panorama device.
- Uploads that new certificate to the Panorama device.
- Commits the changes (which forces the management services to restart)
- API key for your custom domain that will allow us to create DNS TXT records
- An 'A' record that already points to your Panorama instance.
- An API Key used by curl to upload the Let's Encrypt Certificate and private key to Panorama (stored in
panrc_panxapi) - A base64 encoded username:password value (stored in
panrc_curl) - A SSL/TLS Server Profile named
Panorama-Profilemust already exist on Panorama ⚡
- The ability to run docker on your host.
- For automated renewal of certificates (they're only valid for 3 months), leverage a cron job to schedule automated renewal. To help with the scheduling syntax within cron, refer to crontab.guru.
API Token Generation instructions are here
First clone the github repository:
$ git clone https://github.com/TheScriptGuy/panorama-cloudflare-mgmt-letsencrypt
...
$ cd panorama-cloudflare-mgmt-letsencrypt
$ ./setup.shBy running the setup.sh file, it'll prompt you for the following information:
- Management IP address/hostname
- FQDN to be used in the Let's Encrypt Certificate
- Email address for the Let's Encrypt certificate renewal process.
- Cloudflare API Token.
- Username/password to connect to Panorama with.
After this information is entered:
- The
vars.shfile is updated with the information provided. - The Cloudflare API token is added to
credentials/cloudflare.ini. - A base64 encoded username:password pair is added to
credentials/panrc_curlfile - An API key that was generated from Panorama when entering the username:password pair is added to
credentials/panrc_panxapifile.
Leverage the build-image.sh script to help build the image for you.
Run the run.sh script to run the container. This will:
- Generate the certificates from Let's Encrypt by creating appropriate TXT records in Cloudflare to validate you own the domain.
- Upload the subordinate Certificate Authorities to Panorama.
- Upload the Lets Encrypt private key and certificate to Panorama.
- Update the
$PANORAMA_PROFILEobject to reference this newly uploaded certificate. - Commit changes to Panorama <-- at this point, Panorama Management services will restart. It will output an error that the API call was problematic. Just wait for the services to restart before connecting.
Let's encrypt has API limits and will only allow you to generate a limited amount of certificates for a single hostname in a small window. If you reach the limit, unfortunately you just have to wait for the window to lapse before trying again.