After the latest DST X3 certificate issue. All of my Let's encrypt certificats is not being validated correctly on my Sophos XG. Everything updated to latest version.
I've tried to remove the Let's Encrypt R3 certificates. Re-upload the new ones. Followed all guides available. But still my issue persists.
All my iOS devices accessing WAF sites from the outside, still pukes saying the certificate is expired on 29th september. Even though I've reissued completely new certificates and removed everything i could finde delated to DST...
What on earth is going on?
I could solve it by SSH-->Advanced shell, check all certificates in folder /conf/certificate/cacerts.
In my situation this folder contained a lot of imported ca certificates that didn't show in the web…
Hi, have you checked and followed this thread?
https://community.sophos.com/sophos-xg-firewall/f/discussions/130486/certificat-let-s-encrypt-untrust
Yes. No effect. I have removed the old CA certificates, added the new, re-uploaded my ssl certificate, but still no luck.
can you post a screenshot of the certificate and it's full chain (with chain details) without posting private details?
is this issue only on XG? are external hosts also reporting the certificate as invalid?
Also please post a screenshot of all your LE root certificates on your XG.
like:
Here are my screenshots. The certificate is here being served directly from my website on IIS - no problems. As soon as I enter from the outside where it has to pass through WAF in XG. It breaks.
The last screenshot is from my Certificate authorities in XG. The last of the R3 certificates holds the correct path.
Everything seems okay to me.
looks OK.
do you have this on your XG?
it did not come pre-installed, we uploaded it.
I have the same issue, al the necessary intermediate and root authorities are installed, still the imported pfx lets encrypt certificates are marked with the red cross and the message "Certificate authority: Invalid or not installed Issuer
/C=US/O=Let's Encrypt/CN=R3.This mentioned certificate is installed under Certificate authorities.Also a waf protected website is reported by ssllabs supplying the old expired DST certificate, but that certificate is nowhere to be found (Certificate authorities) in the management interface of Sophos XG
SFVH (SFOS 18.5.1 MR-1-Build326)
I have both the X1 and X2. Pulled from Let's Encrypts website.
So, something is going on with the current installation. I just spun up a new virtual appliance and tested the certificate chain there - it works. So I can hereby conclude that some kind of caching is probably going on in my current installation. As I'm running a virtual appliance, I'm just going to nuke it and set up a new one from scratch.
Steen Paulsen said:spun up a new virtual appliance and tested the certificate chain there - it works
that's an important information. did you test if the issue may have been resolved by rebooting the XG VM?
Rebooted several times. Had no effect. my next resolution was to go creative with the command line to identify if there is anything hidden from the GUI regarding the certificate. However I’m not fluent in FreeBSD or what ever variation Sophos is using.