search

PaloAltoNetworks / pan-os-ansible

Ansible collection for easy automation of Palo Alto Networks next generation firewalls and Panorama, in both physical and virtual form factors.
https://pan.dev/ansible/docs/panos
Apache License 2.0
209 stars 97 forks source link

panos_import no longer imports trusted certificates #555

Open 0byt3 opened 8 months ago

0byt3 commented 8 months ago

Describe the bug

Unable to import certificate into panorama.

Expected behavior

I should be able to import a PEM certificate into panorama and templates.

Current behavior

I receive the error "Import of letsencrypt_chain01 failed. private key doesn't exist for csr" when using paloaltonetworks.panos.panos_import.

It seems that something has change such that importing PEM is only used for completing a certificate request now? Used to be the case that I could use this to import trusted certificates.

Possible solution

Not sure how it is to be fixed. It used to work, but no longer does.

Steps to reproduce

- name: "Import chain certificate(s) from letsencrypt"
  paloaltonetworks.panos.panos_import:
    category: "certificate"
    certificate_name: "letsencrypt_chain01"
    format: "pem"
    filename: "{{ letsencrypt_path }}/chain01.pem"
    provider: "{{ pan_provider }}"

Context

I am trying to automate the deployment of my LetsEncrypt chain certificates into Panorama.

Your Environment

PAN-OS Python Library

horiagunica commented 7 months ago

Hello @0byt3 !

It should still work just fine as long as the upload that you are doing is based on a CSR issue from Panorama.

High level the steps should look like this (an example):

  1. Generate CSR from Panorama:

    - name: Generate a csr
paloaltonetworks.panos.panos_op:
provider: '{{ panorama_provider_key }}'
cmd: |
  <request>
    <certificate>
      <generate>
        <certificate-name>{{ mgmt_cert_name }}</certificate-name>
        <name>{{ ca_cn }}</name>
        <algorithm>
          <RSA>
            <rsa-nbits>2048</rsa-nbits>
          </RSA>
        </algorithm>
        <digest>sha256</digest>
        <organization>{{ ca_org }}</organization>
        <country-code>{{ ca_country }}</country-code>
        <state>{{ ca_state }}</state>
        <locality>{{ ca_location }}</locality>
        <ca>no</ca>
        <ip>
        {% for ip in ca_ipv4_list %}
          <member>{{ ip }}</member>
        {% endfor %}
        </ip>
        <signed-by>external</signed-by>
      </generate>
    </certificate>
  </request>
cmd_is_xml: true

  2. Download generated CSR (notice the cert name):

- name: Download the generated CSR
  paloaltonetworks.panos.panos_export:
    provider: '{{ panorama_provider_key }}'
    category: certificate
    certificate_name: '{{ mgmt_cert_name }}'
    certificate_format: pkcs10
    filename: 'csr/{{ inventory_hostname }}.csr'
  1. After you signed the CSR - upload the cert (notice the name once more):
- name: Upload certificate
  paloaltonetworks.panos.panos_import:
    provider: '{{ panorama_provider }}'
    category: certificate
    certificate_name: "{{ mgmt_cert_name }}"
    format: pem
    filename: 'pem/{{ inventory_hostname }}.pem'
    template: '{{ ci_template_name }}'

If the certificate name won't match the generated CSR - Panorama/firewall will not "recognise" that certificate and will prompt you to also upload the private key for it.

horiagunica commented 7 months ago

@0byt3 did you get a chance to test/confirm the above ?

Unless we receive a reply soon - we will proceed to close the issue.