Sophos XG - Lets Encrypt broken - Certificate authority: Invalid or not installed

After the latest DST X3 certificate issue. All of my Let's encrypt certificats is not being validated correctly on my Sophos XG. Everything updated to latest version.

I've tried to remove the Let's Encrypt R3 certificates. Re-upload the new ones. Followed all guides available. But still my issue persists.

All my iOS devices accessing WAF sites from the outside, still pukes saying the certificate is expired on 29th september. Even though I've reissued completely new certificates and removed everything i could finde delated to DST...

What on earth is going on?



Added TAGs
[edited by: emmosophos at 10:27 PM (GMT -7) on 12 Oct 2021]
Parents
  • We are facing on all devices the same issue since all created certificates after 1. October !Finally the solution was on our tool win-acme to choose Elliptic Curve key instead of RSA ! After importing the pfx certificate - all untrusted certificates get green ! I am still not able to generate any RSA key based cert on Lets encrypt which will work in Sophos XG or XGS ! I hope that will help someone also ! 

    Funny is that the chain of CA is the same !

    Expert-Zone.Net IT Consulting
    Neuenhofer Weg 23 • D-52074 Aachen

  • Hi I have same issue certifciate is not trusted in sophos but SSLABS check is ok, webserver certificate is bounded but i'm unable to add certificate to admin iterface but other thing are working. Weird Slight smile

  • I could solve it by SSH-->Advanced shell, check all certificates in folder /conf/certificate/cacerts. 

    In my situation this folder contained a lot of imported ca certificates that didn't show in the web interface (including the expired DST certificate, but it had the name of my website+CA). After deleting all the uploaded certificates in this folder, and after deleting/reimporting the  letsencrypt certificates in the webinterface, they are green and trusted again.

  • that sounds to me like the best workaround here. Thanks for sharing.

  • Hi i have chceck my apliance but problem still persist, on advanced console I didnt see old DST certificate in /conf/certificate/cacerts it was removed with gui probably but  it must be somewhere else:) , sslabs check still see old chain with DST root, what I have missed?

  • Hi JZ, I think you have to look closely in the /conf/certificate/cacerts, but it must be there somewhere, maybe under a "strange" name, perhaps also look at file dates (ls -l). The name of the DST certificate can take many shapes or forms if you imported a pfx containing the complete chain in the past.

Reply
  • Hi JZ, I think you have to look closely in the /conf/certificate/cacerts, but it must be there somewhere, maybe under a "strange" name, perhaps also look at file dates (ls -l). The name of the DST certificate can take many shapes or forms if you imported a pfx containing the complete chain in the past.

Children
No Data