Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 15 replies
  • Answers 2 answers
  • Subscribers 42 subscribers
  • Views 9019 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Let's encrypt certificate woes - "Certificate authority: Invalid or not installed"

h3ctic

Too many cooks and something has become messy with certificates on our XG and I need some help to get this sorted.

(SFOS 18.0.5 MR-5-Build586) virtual

Trying to upload a pfx-certificate generated by our certbot gives the dreaded red X. Mousing over the red X it says: 

Certificate authority: Invalid or not installed
Issuer /C=US/O=Let's Encrypt/CN=R3

When I sort "Certificate Authorities" on "Type" I find the following certificates "Uploaded":
Name
Subject
Valid from
Valid until
Type
Manage
lets-encrypt-r3
 
/C=US/O=Let's Encrypt/CN=R3
2020-09-04
2025-09-15
Uploaded
admin7_CA_60F4B3F1
 
/C=US/O=Let's Encrypt/CN=R3
2020-09-04
2025-09-15
Uploaded
admin_CA_6075D377
 
/C=US/O=Let's Encrypt/CN=R3
2020-10-07
2021-09-29
Uploaded
LetsEncrypt
 
/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
2016-10-06
2021-10-06
Uploaded

I have opened a support-case regarding this and they did the same as I tried....we took a backup, deleted all the above except the first one. Then downloaded and updated the first one with this:

https://letsencrypt.org/certs/lets-encrypt-r3.pem

Then we tried to reupload the certificate, but it still gave the same message.

Support imported the pfx on my computer:

Support then uploaded some ISRG root certificate under "Certificate Authorities" but this rendered ALL the uploaded certificates unusable and we had to restore backup.

Support kinda gave up - took my certificate and tested this in a "lab" - they say they were able to upload the certificate (with no red X) and they sent me a .cer-file they told me to use, but it also gives the same message.

Anyone please help?



This thread was automatically locked due to age.
Parents
  • 0

    It seems to be related to PFX. It works perfectly fine with pem + key. 

    We will look into this. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Additional information: I went ahead and published the (by XG) untrusted certificate with one of my rules (IIS) and the XG presents the newly created pfx certificate to clients accessing the IIS from the outside and its showing it as valid (in chrome) and also the correct "valid-until-date" and all seems to be working fine....

Reply
  • 0 in reply to LuCar Toni

    Additional information: I went ahead and published the (by XG) untrusted certificate with one of my rules (IIS) and the XG presents the newly created pfx certificate to clients accessing the IIS from the outside and its showing it as valid (in chrome) and also the correct "valid-until-date" and all seems to be working fine....

Children
  • 0 in reply to h3ctic

    Had same issue with SFOS 18.5.2 MR-2-Build380
    I uploaded a wildcard certificate on Sophos XG from Let's Encrypt with .cer and .pem files and also uploaded Let’s Encrypt R3 CA certificate but Sophos XG still reported the wildcard certificate as untrusted
    I also tried to use wildcard certificate in a WAF rule and was showing as valid to clients(wildcard cert was still reported as not trusted on Sophos XG)

    I then deleted the ISRG Root X1 (root CA) and Let’s Encrypt R3 (intermediate CA) from Sophos and reimported them manually copy/paste pem file(no file upload) and finally the wildcard is reported as trusted also on Sophos XG.

  • 0 in reply to Tabuz

    That is very interesting Tabuz. Im now wondering if I can simply ignore the fact that it is not trusted on the XG and simply go ahead and apply the new Let's Encrypt certificate on all my rules...?? (this includes on-prem Exchange and many other services)

  • 0 in reply to Tabuz
    Tabuz said:
    I then deleted the ISRG Root X1 (root CA) and Let’s Encrypt R3 (intermediate CA) from Sophos and reimported them manually copy/paste pem file(no file upload) and finally the wildcard is reported as trusted also on Sophos XG.

    Ok...Thank you Tabuz - just to make this as failsafe as possible...I would proceed as follows:

    1. Delete ISRG Root X1


    2. Delete all Let’s Encrypt (yeah - a bit of a mess this ...Im afraid)



    3. Reimport from letsencrypt.org/.../ - manually copy/paste pem file(no file upload) – but which ones??


    Self-signed or Cross-signed Root Certificates??


    And also:


    For Intermediate I would assume the one signed by ISRG Root X1….??

  • 0 in reply to h3ctic

    I only installed the selfsigned certificates

     
    SFVH (SFOS 20.0.0 GA-Build222) - Last (re)boot on November 6th  2023
    Asus H410i-plus - Pentium 6605 Gold - 250GB M.2 PCIe NVMe SSD - 8GB - 3 ports
    [If any of my posts are helpful to you please use the 'Verify Answer' link]
  • 0 in reply to h3ctic

    Step 0: take a backup
    Then Delete ISRG Root X1 and all other Let's encrypt certificate
    Upload for Root: Self Signed .pem (as copy paste) and for Intermediate Signed by ISRG X1 . pem as copy paste
    You should have something looking as this:

    Then upload your Let's Encrypt domain certificate.

    The above steps are the one that I have done to have a Truested Let's encrypt wildcard certificate in my homelab.

    If you have a production environment I suggest to ask support to Sophos

  • 0 in reply to Tabuz

    I did all this, but unfortunately it still shows red X. I have restored the XG backup now.

  • 0 in reply to Tabuz
    Tabuz said:
    I also tried to use wildcard certificate in a WAF rule and was showing as valid to clients(wildcard cert was still reported as not trusted on Sophos XG)

    Support says I should upgrade, but last time I tried to upgrade the firewall to newest firmware it ALL went haywire so I am VERY reluctant to do this. (We had to restore from a Veeam backup, and since this is a virtualized appliance we had big problems with network-settings - vlan truncing - not being restored)

    Now I am thinking perhaps I can simply ignore the fact that it is not trusted on the XG and just use the certificate in my WAF rules since they seems to be working just fine??

Unfiltered HTML