Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Lets Encrypt DST Root CA X3 Issue

Please read this article to fix Web Proxy issues that come up today with some LetsEncrypt sites:

https://support.sophos.com/support/s/article/KB-000042993?language=en_US

Delete the expired CA from the CA store on the XG.

Solved our issues.

You will find the Warning in SYSTEM log, not WebProxy (strange...)

messageid="17917" log_type="Event" log_component="HTTPS" log_subtype="System" dst_ip="xxx.xxx.xxx.xxx" message="HTTPS access is denied due to invalid server certificate. Disable "Block invalid certificates" from "Web -> General Settings -> HTTPS Decryption and Scanning" to access HTTPS site '">https://xxx.xxx.xxx/'" user_agent="Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0" status_code="403" sentbytes="0"

Would'nt this be something for proactive Hotfix installation by Sophos?



This thread was automatically locked due to age.
Parents
  • Hotfixes are not easy nor quick to develop as they require many Q&A processes to be involved. Also HF will mess up build numbers and backup/restore process etc.  Therefore this is not a good solution for such a change. 

    You could remove this CA by using Central Management. Simply remove the DST CA in your group and the Change will be pushed to all firewalls. 

    __________________________________________________________________________________________________________________

Reply
  • Hotfixes are not easy nor quick to develop as they require many Q&A processes to be involved. Also HF will mess up build numbers and backup/restore process etc.  Therefore this is not a good solution for such a change. 

    You could remove this CA by using Central Management. Simply remove the DST CA in your group and the Change will be pushed to all firewalls. 

    __________________________________________________________________________________________________________________

Children
No Data