Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error Code 542 #1

Open
Sh4d0w4k6 opened this issue Mar 2, 2020 · 9 comments
Open

Error Code 542 #1

Sh4d0w4k6 opened this issue Mar 2, 2020 · 9 comments
Labels
documentation Improvements or additions to documentation question Further information is requested

Comments

@Sh4d0w4k6
Copy link

Hello,

first, thanks for this great script!
I get the error code 542 - I think it means that the certificate is already in use... is there anyway to upload it, if it's active in a firewall rule?

Br
sh4d0w4k6
@mmccarn
Copy link
Owner

mmccarn commented Mar 3, 2020

Having the cert active should not cause problems -- while developing the script I created the certificate and certificate authority manually first, then started playing with the script.

Is it possible your result is something else? "542" is not listed in the API docs as a possible result.

In the docs for Sophos Firewall OS 17.5 (the version I'm running) -

Possible results listed for 'create certificate authority'

Operation Status Message
Add Certificate Authority 200 Certificate authority has been uploaded successfully
Add Certificate Authority 500 Attached certificate authority is invalid. Please choose a valid certificate authority.
Add Certificate Authority 502 Certificate authority (CA) could not be added. CA with the same name already exists, choose a different name
Add Certificate Authority 503 Certificate authority (CA) could not be uploaded. CA certificate already exists. Choose another CA
Add Certificate Authority 510 Failed to upload Certificate Authority. Invalid private key file or password
Add Certificate Authority 541 Certificate authority file may be corrupt
Edit Certificate Authority 200 Certificate authority details have been updated successfully
Edit Certificate Authority 500 Certificate authority details could not be updated
Edit Certificate Authority 502 Certificate authority (CA) could not be added. CA with the same name already exists, choose a different name
Edit Certificate Authority 503 Certificate authority (CA) could not be uploaded. CA certificate already exists. Choose another CA
Edit Certificate Authority 504 Failed to update certificate authority (CA). Since CA is used in HTTPS scanning, you must update all its parameters
Edit Certificate Authority 510 Failed to upload Certificate Authority. Invalid private key file or password
Edit Certificate Authority 541 Certificate authority file may be corrupt

Possible results for 'create or update certificate'

Operation Status Message
Add Certificate 200 Certificate has been generated successfully
Add Certificate 500 Certificate could not be generated
Add Certificate 502 Certificate could not be uploaded. Certificate already exists, choose a different certificate
Add Certificate 503 Failed to generate the certificate. Certificate with identical identification attributes already exists
Add Certificate 510 Certificate could not be uploaded due to invalid private key or passphrase. Choose a proper key
Add Certificate 541 Certificate file may be corrupted
Update Certificate 200 Certificate has been updated successfully
Update Certificate 500 Certificate could not be updated
Update Certificate 503 Failed to generate the certificate. Certificate with identical identification attributes already exists
Update Certificate 510 Certificate could not be uploaded due to invalid private key or passphrase. Choose a proper key
Update Certificate 541 Certificate file may be corrupted

Suggestion:

  • Create a backup of your device
  • Delete any existing certs or certificate authorities related to LetsEncrypt
  • Run the script with the 'add' option
  • If you still get the error, restore the backup

@mmccarn mmccarn added documentation Improvements or additions to documentation question Further information is requested labels Mar 6, 2020
@mmccarn
Copy link
Owner

mmccarn commented Mar 29, 2020

I'm going to close this since I haven't heard back from you.

@mmccarn mmccarn closed this as completed Mar 29, 2020
@Sh4d0w4k6
Copy link
Author

Hello!
Sorry for the late response.

I still get this error, i setup my sophos new.
I only get this error if i want do update the certificate. If I remove it from the firewall policy, it's working, otherwise i get the error code 542..

@mmccarn mmccarn reopened this May 5, 2020
@mmccarn
Copy link
Owner

mmccarn commented May 5, 2020

I've reopened the issue.

It appears that if there are WAF rules that use the certificate you want to update the Sophos returns the undocumented error code 542.

(I didn't create any waf rules until after I thought I had the update procedure worked out, so I was not seeing this error).

@mmccarn
Copy link
Owner

mmccarn commented May 6, 2020

From https://community.sophos.com/products/xg-firewall/f/network-and-routing/108931/letsencrypt-how-to-in-xg -

You can simply upload the new LE certificate with another Name and replace it in WAF/Webadmin.

Or you can "update" the current LE certificate with new public.pem / privat.key. But for this method, you have to switch to a fallback certificate in WAF/Webadmin, because XG cannot update a certificate, which is currently in use.

I'm not sure how useful it is to update the certificates automatically if we still need to login to the web console to edit the WAF entries in the firewall.

@gsainsbury86
Copy link

I've just implemented the script and seen the same results. I'm wondering whether we can modify the script here to:

  1. determine certs in use by WAF rules via the API.
  2. add a new cert with a unique name (maybe uuid)
  3. change the WAF rules using the old one to use the new one.

I believe this is possible but I'll look into it. If I have any luck I'll send a pull req.

@mmccarn
Copy link
Owner

mmccarn commented Oct 22, 2020

I looked into this and added code to include the date in the certificate name.

So - we can create a new cert and upload it to the XG.

However, I could not find any API call that would let me change the certificate for a WAF entry - so you would still need to login to the XG and manually change the certificate that gets used by each WAF entry.

Or, referencing your list:

  1. determine certs in use
    I don't know, but I don't see the need.

  2. add a new cert with a unique name
    We can append a date to each new cert like 'mycert-20201022'. (I suppose this might be more useful if I can figure out how to list the expiration date instead of the creationg date - "mycert-exp-yyyymmdd")

  3. change the WAF rules
    My XG will not upgrade beyond 17.5. So far I have found no API call for this version that will allow me to change the certificate in use for an existing WAF entry.

@gsainsbury86
Copy link

re: 3.

I asked on sophos community as I was unable to make any changes to WAF rules via the API. It appears this is a known bug, to be fixed in 18.0 MR4 so I'll have another look then.

Though it looks like if you're stuck on 17.5, you might be out of luck.

@mmccarn
Copy link
Owner

mmccarn commented Oct 28, 2020

I have updated le2xg.sh to:

  • include the certificate creation date in the new cert
  • use 'add' by default (since 'update' only works if the certificate is completely unused)

This still leaves you needing to use the XG web interface to change the certificate for your WAF rules in the firewall settings.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
documentation Improvements or additions to documentation question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@gsainsbury86 @mmccarn @Sh4d0w4k6