this post was submitted on 14 Oct 2023
5 points (85.7% liked)

techsupport

2507 readers
6 users here now

The Lemmy community will help you with your tech problems and questions about anything here. Do not be shy, we will try to help you.

If something works or if you find a solution to your problem let us know it will be greatly apreciated.

Rules: instance rules + stay on topic

Partnered communities:

You Should Know

Reddit

Software gore

Recommendations

founded 2 years ago
MODERATORS
 

So I have had this script I have been working on for a while, intended to automate LetsEncrypt renewals and deploy those certs to Panorama for Palo Alto endpoints.

I have had some success by brute-forcing the process. Delete pubkey and privkey, then replace. This is problematic if any of those certs are being used in objects though.

Is there an API mechanism anyone is aware of, XML or REST, than can be used to replace a cert currently being utilized in objects?

Or is the mechanism really only to deploy to a whole new entry, and switch the SSL profile to that new one? That's the only other path forward I can currently see, and it feels like extra work.

you are viewing a single comment's thread
view the rest of the comments
[โ€“] [email protected] 1 points 1 year ago* (last edited 1 year ago) (2 children)

Is the delete needed? From the ClickOps GUI perspective, when you update a cert for renewal, you import the renewed cert with the same object name and it automatically overwrites the object.
There is an API endpoint for Palos, but it's probably not as robust as the GUI. I wouldn't know, I've never used it except for monitoring tool configs.

Edit: looks like there is a REST API endpoint for cert/private key changes: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000sYecCAE&lang=en_US%E2%80%A9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

[โ€“] keefshape 2 points 1 year ago (1 children)

Oh shit, first set of examples for the REST docs shows importing s combined keypair! That would solve the keypair mismatch when importing one at a time.

Solid! ๐Ÿ‘Š

[โ€“] [email protected] 2 points 1 year ago* (last edited 1 year ago)

Makes sense, you can do the same with the GUI if you import it as an encrypted .pem with the public and private key in the same file.

[โ€“] keefshape 1 points 1 year ago

Yeah if I don't delete the existing keys when uploading new ones, i get a keypair mismatch.

I will take a look at the REST docs, thanks!