{"id":2485,"date":"2022-10-19T20:24:22","date_gmt":"2022-10-19T17:24:22","guid":{"rendered":"https:\/\/artem.services\/?p=2464"},"modified":"2022-10-25T16:11:24","modified_gmt":"2022-10-25T13:11:24","slug":"2485","status":"publish","type":"post","link":"https:\/\/artem.services\/?p=2485&lang=en","title":{"rendered":"Palo Alto VM-Series Firewall: Let’s Encrypt certificate"},"content":{"rendered":"

\"\"<\/p>\n

PAN-OS only allows you to generate self-signed certificates or already import existing ones. To use a Let’s Encrypt certificate, you need to request it on another device, and therefore we can only use DNS as validation.<\/p>\n

AWS Route53 is used as a DNS provider, we will use Certbot<\/a> to obtain a certificate, we also need an installed and configured awscli<\/a><\/p>\n

Certificate request<\/h4>\n

Installing the necessary software (in this example, the macOS system was used):<\/p>\n

\r\nbrew install certbot awscli\r\npip3 install certbot-dns-route53\r\n<\/pre>\n
Configure awscli:<\/p>\n
\r\nawscli configure\r\n<\/pre>\n
 <\/p>\n
Minimum permissions for DNS validation<\/p>\n
AWS IAM Policy:<\/strong><\/p>\n
\r\n{\r\n  "Version": "2012-10-17",\r\n  "Id": "certbot-dns-route53",\r\n  "Statement": [\r\n    {\r\n      "Effect": "Allow",\r\n      "Action": [\r\n        "route53:ListHostedZones",\r\n        "route53:GetChange"\r\n      ],\r\n      "Resource": [\r\n        "*"\r\n      ]\r\n    },\r\n    {\r\n      "Effect": "Allow",\r\n      "Action": [\r\n        "route53:ChangeResourceRecordSets",\r\n        "route53:ListResourceRecordSets"\r\n      ],\r\n      "Resource": [\r\n        "arn:aws:route53:::hostedzone\/YOURDOMAINZONEID"\r\n      ]\r\n    }\r\n  ]\r\n}\r\n<\/pre>\n
Where "YOURDOMAINZONEID<\/strong>" — ID your hosted zone<\/p><\/blockquote>\n
 <\/p>\n
Requesting a certificate<\/p>\n
Certbot on macOS requires root privileges<\/p><\/blockquote>\n
\r\nsudo certbot certonly \\\r\n  --register-unsafely-without-email \\\r\n  --dns-route53 \\\r\n  -d gp1.aws.artem.services\r\n<\/pre>\n
Where "gp1.aws.artem.services<\/strong>" is the domain name for the requested certificate<\/p><\/blockquote>\n
 <\/p>\n
\"\"<\/p>\n
Since we executed Certbot as root, we will copy the necessary files to the home directory and change the owner<\/p>\n
\r\nsudo cp \/etc\/letsencrypt\/live\/gp1.aws.artem.services\/{fullchain,privkey}.pem ~\/\r\nsudo chown artem:staff ~\/{fullchain,privkey}.pem\r\n<\/pre>\n
Now you can proceed to import the certificate<\/p>\n
Firewall<\/h4>\n
Management<\/strong><\/p>\n
To import a certificate, go to "Device<\/strong>" -> "Certificate Management<\/strong>" -> "Certificates<\/strong>" -> "Device Certificates<\/strong>" and click "Import<\/strong>"<\/p>\n