Help us enhance your Sophos Community experience. Share your thoughts in our Sophos Community survey.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 7 replies
  • Subscribers 41 subscribers
  • Views 3972 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

LetsEncrypt Certificate untrusted on XG 18.0.4 MR4

Posbis

Hi Folks

I have a problem with importing a certificate (pfx) into Sohpos XG [SFVH (SFOS 18.0.4 MR-4)].

I have a LetsEncrypt certificate which covers 3 domains including wildcards for the domains in the SAN list.
The certificate is in PFX format (private key + fullchain cert). When I import (upload) the pfx file into
the system everything works fine (green confirmation). The cert is added to the store but "Authority" shows a red cross instead
of a green checkmark. This results in the certificate not available for Web-Publishing rules.

If I import the same certificate (pfx) into XG 18.0.3 MR3 everything is fine and I can use it for Web-Publishing.

The LetsEncrypt certificates trust chain is

DST Root CA X3 -> R3 -> mydomain.org

So what's the problem here ? What's the difference between MR3 an MR4 ?
When I check CA certstore of the MR4 system I can see that both chain members

- DST Root CA X3
- R3

exist in the store.

So this is weird.

Any idea.



This thread was automatically locked due to age.
Parents
  • 0

    hi,

    when you mouse over the red cross in the certificate list it displays: "Expected issuer /C=US/O=Let's Encrypt/CN=R3"

    so i searched for the active Let's Encrypt R3 intermediate certificate, replaced the cert authority and my Let's Encrypt certificate goes green again ;-)

    more detailed steps:

    1. Go to Menu section "System" -> Certificates -> Certificate authorities

    2. Filter "name" for "lets" to search for letsencrypt entries. There should be one entry. Click on the name or the edit-pencil on the right.

    3. Dowload https://letsencrypt.org/certs/lets-encrypt-r3.pem or read the instructions on https://letsencrypt.org/certificates/

    4. Choose the downloaded file for "Certificate *" and save the entry.

    5. click on the tab "Certificates" and check the Authority or your Let's Encrypt certificate.

  • 0 in reply to GeraldBossert-Stumvoll

    That's strange. I am using 5 Lets encrypt certificates and have never had to import the R3 intermediate certificate in Sophos XG (v17.x nor 18.x)

    Just searched and it isn't present on my installation (XG SFOS 18.0.4 MR-4).

     
    SFVH (SFOS 20.0.0 GA-Build222) - Last (re)boot on November 6th  2023
    Asus H410i-plus - Pentium 6605 Gold - 250GB M.2 PCIe NVMe SSD - 8GB - 3 ports
    [If any of my posts are helpful to you please use the 'Verify Answer' link]
  • 0 in reply to Peter-Paul Gras

    I never had the problem up to 18.0.3 MR-3. It appeared on 18.0.4 MR-4 first.

    I mean on MR-4 the R3 intermediate was there but seems to be wrong. So the Geralds work around is to update the R3 with the right certificate from LetsEncrypt. I assume he is right and Sophos mixed something up with the new Root and Intermediate Certs from Lets Encrypt.

Reply
  • 0 in reply to Peter-Paul Gras

    I never had the problem up to 18.0.3 MR-3. It appeared on 18.0.4 MR-4 first.

    I mean on MR-4 the R3 intermediate was there but seems to be wrong. So the Geralds work around is to update the R3 with the right certificate from LetsEncrypt. I assume he is right and Sophos mixed something up with the new Root and Intermediate Certs from Lets Encrypt.

Children
No Data
Unfiltered HTML