Too many cooks and something has become messy with certificates on our XG and I need some help to get this sorted.
(SFOS 18.0.5 MR-5-Build586) virtual
Trying to upload a pfx-certificate generated by our certbot gives the dreaded red X. Mousing over the red X it says:
Certificate authority: Invalid or not installedIssuer /C=US/O=Let's Encrypt/CN=R3
When I sort "Certificate Authorities" on "Type" I find the following certificates "Uploaded":
/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
I have opened a support-case regarding this and they did the same as I tried....we took a backup, deleted all the above except the first one. Then downloaded and updated the first one with this:
Then we tried to reupload the certificate, but it still gave the same message.
Support imported the pfx on my computer:
Support then uploaded some ISRG root certificate under "Certificate Authorities" but this rendered ALL the uploaded certificates unusable and we had to restore backup.
Support kinda gave up - took my certificate and tested this in a "lab" - they say they were able to upload the certificate (with no red X) and they sent me a .cer-file they told me to use, but it also gives the same message.
Anyone please help?
Had same issue with SFOS 18.5.2 MR-2-Build380I uploaded a wildcard certificate on Sophos XG from Let's Encrypt with .cer and .pem files and also uploaded Let’s Encrypt R3 CA certificate but Sophos…
It seems to be related to PFX. It works perfectly fine with pem + key.
We will look into this.
Additional information: I went ahead and published the (by XG) untrusted certificate with one of my rules (IIS) and the XG presents the newly created pfx certificate to clients accessing the IIS from the outside and its showing it as valid (in chrome) and also the correct "valid-until-date" and all seems to be working fine....
Had same issue with SFOS 18.5.2 MR-2-Build380I uploaded a wildcard certificate on Sophos XG from Let's Encrypt with .cer and .pem files and also uploaded Let’s Encrypt R3 CA certificate but Sophos XG still reported the wildcard certificate as untrustedI also tried to use wildcard certificate in a WAF rule and was showing as valid to clients(wildcard cert was still reported as not trusted on Sophos XG)I then deleted the ISRG Root X1 (root CA) and Let’s Encrypt R3 (intermediate CA) from Sophos and reimported them manually copy/paste pem file(no file upload) and finally the wildcard is reported as trusted also on Sophos XG.
That is very interesting Tabuz. Im now wondering if I can simply ignore the fact that it is not trusted on the XG and simply go ahead and apply the new Let's Encrypt certificate on all my rules...?? (this includes on-prem Exchange and many other services)
Tabuz said:I then deleted the ISRG Root X1 (root CA) and Let’s Encrypt R3 (intermediate CA) from Sophos and reimported them manually copy/paste pem file(no file upload) and finally the wildcard is reported as trusted also on Sophos XG.
Ok...Thank you Tabuz - just to make this as failsafe as possible...I would proceed as follows:
1. Delete ISRG Root X1
2. Delete all Let’s Encrypt (yeah - a bit of a mess this ...Im afraid)
3. Reimport from letsencrypt.org/.../ - manually copy/paste pem file(no file upload) – but which ones??
Self-signed or Cross-signed Root Certificates??
For Intermediate I would assume the one signed by ISRG Root X1….??
I only installed the selfsigned certificates
Step 0: take a backupThen Delete ISRG Root X1 and all other Let's encrypt certificateUpload for Root: Self Signed .pem (as copy paste) and for Intermediate Signed by ISRG X1 . pem as copy pasteYou should have something looking as this:
Then upload your Let's Encrypt domain certificate.The above steps are the one that I have done to have a Truested Let's encrypt wildcard certificate in my homelab.
If you have a production environment I suggest to ask support to Sophos
I did all this, but unfortunately it still shows red X. I have restored the XG backup now.
Tabuz said:I also tried to use wildcard certificate in a WAF rule and was showing as valid to clients(wildcard cert was still reported as not trusted on Sophos XG)
Support says I should upgrade, but last time I tried to upgrade the firewall to newest firmware it ALL went haywire so I am VERY reluctant to do this. (We had to restore from a Veeam backup, and since this is a virtualized appliance we had big problems with network-settings - vlan truncing - not being restored)
Now I am thinking perhaps I can simply ignore the fact that it is not trusted on the XG and just use the certificate in my WAF rules since they seems to be working just fine??