This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG - Lets Encrypt broken - Certificate authority: Invalid or not installed

After the latest DST X3 certificate issue. All of my Let's encrypt certificats is not being validated correctly on my Sophos XG. Everything updated to latest version.

I've tried to remove the Let's Encrypt R3 certificates. Re-upload the new ones. Followed all guides available. But still my issue persists.

All my iOS devices accessing WAF sites from the outside, still pukes saying the certificate is expired on 29th september. Even though I've reissued completely new certificates and removed everything i could finde delated to DST...

What on earth is going on?



This thread was automatically locked due to age.
Parents
  • So, something is going on with the current installation. I just spun up a new virtual appliance and tested the certificate chain there - it works. So I can hereby conclude that some kind of caching is probably going on in my current installation. As I'm running a virtual appliance, I'm just going to nuke it and set up a new one from scratch.

  • spun up a new virtual appliance and tested the certificate chain there - it works

    that's an important information. did you test if the issue may have been resolved by rebooting the XG VM?

  • Rebooted several times. Had no effect. 
    my next resolution was to go creative with the command line to identify if there is anything hidden from the GUI regarding the certificate. However I’m not fluent in FreeBSD or what ever variation Sophos is using. 

  • I had exactly the same behavior on my XG125. The behavior only occured when the certificate is created as pfx from Windows. If the certificate is created under Linux with Certbot, the certificate is still not trusted during import, but the expired branch is not delivered by the XG and the clients can access the servers through WAF.

Reply
  • I had exactly the same behavior on my XG125. The behavior only occured when the certificate is created as pfx from Windows. If the certificate is created under Linux with Certbot, the certificate is still not trusted during import, but the expired branch is not delivered by the XG and the clients can access the servers through WAF.

Children