Difference between revisions of "Letsencrypt SSL certs on Cisco IOS Classic 2900/3900"

From W9CR
Jump to navigation Jump to search
Line 95: Line 95:
 
= IOS EEM script =  
 
= IOS EEM script =  
  
I stole this from https://github.com/techfil/ciscoautocert  
+
I stole this from https://github.com/techfil/ciscoautocert <br>
I had to modify the EEM app for classic IOS.  
+
I had to modify the EEM app for classic IOS
 +
<br>
 +
I don't like the script doesn't verify the cert is importable before blowing the old cert away, but this is a limitation of Cisco.  
  
 
<pre>
 
<pre>

Revision as of 13:46, 8 January 2026

I have a number of classic IOS 15.7 2900/3900 devices that I'm installing lets encrypt certs on.

Fucking certs, I'm a network engineer, not a cryptographer.

Certbot

I'm using power DNS and have installed the power dns plugin for this. I have a config file for the API at ~/cerbot-pnds.ini, and I'm running this on the authoritative server it self. If you're doing it on another server, you need to open up API access for remote clients. 

~/cerbot-pnds.ini

dns_powerdns_api_url = http://127.0.0.1:8081
dns_powerdns_api_key = 'SEKRETDATA'

Now you need to request a key 

This is for a RSA only key
certbot certonly --key-type rsa --rsa-key-size 4096 -m bryan@bryanfields.net --preferred-challenges=dns -d cisco.keekles.org  --authenticator dns-powerdns --dns-powerdns-credentials  ~/cerbot-pnds.ini

This will use the more secure format. ECDSA, but this doesn't work on classic IOS 15.7 on the 2900
certbot certonly -m bryan@bryanfields.net --preferred-challenges=dns -d cisco.keekles.org  --authenticator dns-powerdns --dns-powerdns-credentials  ~/cerbot-pnds.ini

Info here if you get 

CRYPTO_PKI: status = 0x71E(E_PRIVATE_KEY : private key is null or doesn't match public key): Imported PKCS12 file failure

Open SSL

Cat all the keys together 

cat /etc/letsencrypt/live/cisco.keekles.org/privkey.pem /etc/letsencrypt/live/cisco.keekles.org/fullchain.pem > /etc/letsencrypt/live/cisco.keekles.org/combined.pem

Make a P12 format file to load on the cisco 

openssl pkcs12 -export -legacy -macalg SHA1  -in /etc/letsencrypt/live/cisco.keekles.org/combined.pem -name VPNCERT -passout pass:cisco -out /etc/letsencrypt/live/cisco.keekles.org/ciscoautocert.p12

copy it to the router

scp -O -o KexAlgorithms=+diffie-hellman-group14-sha1 -o HostkeyAlgorithms=+ssh-rsa,ssh-dss /etc/letsencrypt/live/cisco.keekles.org/ciscoautocert.p12 bryan@cisco.keekles.org:/ciscoautocert.p12

import it on the router

conf t
#crypto pki import VPNCERT pkcs12 flash:/ciscoautocert.p12 password cisco
% Importing pkcs12...
Source filename [ciscoautocert.p12]?
Reading file from flash0:/ciscoautocert.p12
CRYPTO_PKI: Imported PKCS12 file successfully.

validate it

#show crypto pki certificates VPNCERT
Certificate
  Status: Available
  Certificate Serial Number (hex): 06F63C8350E38A8F228B1F53D55F9AD98503
  Certificate Usage: General Purpose
  Issuer:
    cn=R13
    o=Let's Encrypt
    c=US
  Subject:
    Name: cisco.keekles.org
    cn=cisco.keekles.org
  CRL Distribution Points:
    http://r13.c.lencr.org/4.crl
  Validity Date:
    start date: 17:01:28 UTC Jan 8 2026
    end   date: 17:01:27 UTC Apr 8 2026
  Associated Trustpoints: VPNCERT

CA Certificate
  Status: Available
  Certificate Serial Number (hex): 5A00F212D8D4B480F3924157EA298305
  Certificate Usage: Signature
  Issuer:
    cn=ISRG Root X1
    o=Internet Security Research Group
    c=US
  Subject:
    cn=R13
    o=Let's Encrypt
    c=US
  CRL Distribution Points:
    http://x1.c.lencr.org/
  Validity Date:
    start date: 00:00:00 UTC Mar 13 2024
    end   date: 23:59:59 UTC Mar 12 2027
  Associated Trustpoints: VPNCERT

IOS EEM script

I stole this from https://github.com/techfil/ciscoautocert
I had to modify the EEM app for classic IOS.
I don't like the script doesn't verify the cert is importable before blowing the old cert away, but this is a limitation of Cisco. 

event manager applet ciscoautocert
 event timer cron cron-entry "*/30 * * * *"
 action 010 syslog msg "[VPNCERT] Looking for VPNCERT.p12 in flash..."
 action 020 cli command "enable"
 action 030 cli command "dir flash:/VPNCERT.p12"
 action 040 regexp ".*File not found" "$_cli_result"
 action 050 if $_regexp_result eq "0"
 action 060  syslog msg "[VPNCERT] New Let's Encrypt certificate found! Will proceed to install it."
 action 070  cli command "config t"
 action 080  cli command "file prompt quiet"
 action 090  cli command "no crypto pki trustpoint VPNCERT"
 action 100  cli command "y"
 action 110  cli command "crypto key zeroize rsa VPNCERT"
 action 120  cli command "y"
 action 130  cli command "crypto pki import VPNCERT pkcs12 flash:/VPNCERT.p12 password cisco"
 action 140  cli command "no"
 action 150  syslog msg "[VPNCERT] Let's Encrypt certificate updated. Deleting the p12 file..."
 action 160  cli command "default file prompt"
 action 170  cli command "do delete /force flash:/VPNCERT.p12"
 action 180  syslog msg "[VPNCERT] Cleanup complete."
 action 190  cli command "end"
 action 200 else
 action 210  syslog msg "[VPNCERT] No new certificate found. Nothing to do."
 action 220 end
Retrieved from "https://wiki.w9cr.net/index.php?title=Letsencrypt_SSL_certs_on_Cisco_IOS_Classic_2900/3900&oldid=8416"