Letsencrypt SSL certs on Cisco IOS Classic 2900/3900

From W9CR
Revision as of 13:05, 8 January 2026 by Bryan (talk | contribs) (Created page with "I have a number of classic IOS 15.7 2900/3900 devices that I'm installing lets encrypt certs on. '''Fucking certs, I'm a network engineer, not a cryptographer.''' = Certb...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

I have a number of classic IOS 15.7 2900/3900 devices that I'm installing lets encrypt certs on.

Fucking certs, I'm a network engineer, not a cryptographer.

Certbot

I'm using power DNS and have installed the power dns plugin for this. I have a config file for the API at ~/cerbot-pnds.ini, and I'm running this on the authoritative server it self. If you're doing it on another server, you need to open up API access for remote clients. 

~/cerbot-pnds.ini

dns_powerdns_api_url = http://127.0.0.1:8081
dns_powerdns_api_key = 'SEKRETDATA'

Now you need to request a key 

This is for a RSA only key
certbot certonly --key-type rsa --rsa-key-size 4096 -m bryan@bryanfields.net --preferred-challenges=dns -d cisco.keekles.org  --authenticator dns-powerdns --dns-powerdns-credentials  ~/cerbot-pnds.ini

This will use the more secure format. ECDSA, but this doesn't work on classic IOS 15.7 on the 2900
certbot certonly -m bryan@bryanfields.net --preferred-challenges=dns -d cisco.keekles.org  --authenticator dns-powerdns --dns-powerdns-credentials  ~/cerbot-pnds.ini

Info here if you get 

CRYPTO_PKI: status = 0x71E(E_PRIVATE_KEY : private key is null or doesn't match public key): Imported PKCS12 file failure

Open SSL

Cat all the keys together 

cat /etc/letsencrypt/live/cisco.keekles.org/privkey.pem /etc/letsencrypt/live/cisco.keekles.org/fullchain.pem > /etc/letsencrypt/live/cisco.keekles.org/combined.pem

Make a P12 format file to load on the cisco 

openssl pkcs12 -export -legacy -macalg SHA1  -in /etc/letsencrypt/live/cisco.keekles.org/combined.pem -name VPNCERT -passout pass:cisco -out /etc/letsencrypt/live/cisco.keekles.org/ciscoautocert.p12

copy it to the router

scp -O -o KexAlgorithms=+diffie-hellman-group14-sha1 -o HostkeyAlgorithms=+ssh-rsa,ssh-dss /etc/letsencrypt/live/cisco.keekles.org/ciscoautocert.p12 bryan@cisco.keekles.org:/ciscoautocert.p12

import it on the router

conf t
#crypto pki import VPNCERT pkcs12 flash:/ciscoautocert.p12 password cisco
% Importing pkcs12...
Source filename [ciscoautocert.p12]?
Reading file from flash0:/ciscoautocert.p12
CRYPTO_PKI: Imported PKCS12 file successfully.

validate it

#show crypto pki certificates VPNCERT
Certificate
  Status: Available
  Certificate Serial Number (hex): 06F63C8350E38A8F228B1F53D55F9AD98503
  Certificate Usage: General Purpose
  Issuer:
    cn=R13
    o=Let's Encrypt
    c=US
  Subject:
    Name: cisco.keekles.org
    cn=cisco.keekles.org
  CRL Distribution Points:
    http://r13.c.lencr.org/4.crl
  Validity Date:
    start date: 17:01:28 UTC Jan 8 2026
    end   date: 17:01:27 UTC Apr 8 2026
  Associated Trustpoints: VPNCERT

CA Certificate
  Status: Available
  Certificate Serial Number (hex): 5A00F212D8D4B480F3924157EA298305
  Certificate Usage: Signature
  Issuer:
    cn=ISRG Root X1
    o=Internet Security Research Group
    c=US
  Subject:
    cn=R13
    o=Let's Encrypt
    c=US
  CRL Distribution Points:
    http://x1.c.lencr.org/
  Validity Date:
    start date: 00:00:00 UTC Mar 13 2024
    end   date: 23:59:59 UTC Mar 12 2027
  Associated Trustpoints: VPNCERT
Retrieved from "https://wiki.w9cr.net/index.php?title=Letsencrypt_SSL_certs_on_Cisco_IOS_Classic_2900/3900&oldid=8414"