Let's encrypt certificate woes - "Certificate authority: Invalid or not installed"

Too many cooks and something has become messy with certificates on our XG and I need some help to get this sorted.

(SFOS 18.0.5 MR-5-Build586) virtual

Trying to upload a pfx-certificate generated by our certbot gives the dreaded red X. Mousing over the red X it says: 

Certificate authority: Invalid or not installed
Issuer /C=US/O=Let's Encrypt/CN=R3

When I sort "Certificate Authorities" on "Type" I find the following certificates "Uploaded":

Name
Subject
Valid from
Valid until
Type
Manage
lets-encrypt-r3
/C=US/O=Let's Encrypt/CN=R3
2020-09-04
2025-09-15
Uploaded
admin7_CA_60F4B3F1
/C=US/O=Let's Encrypt/CN=R3
2020-09-04
2025-09-15
Uploaded
admin_CA_6075D377
/C=US/O=Let's Encrypt/CN=R3
2020-10-07
2021-09-29
Uploaded
LetsEncrypt
/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
2016-10-06
2021-10-06
Uploaded

I have opened a support-case regarding this and they did the same as I tried....we took a backup, deleted all the above except the first one. Then downloaded and updated the first one with this:

https://letsencrypt.org/certs/lets-encrypt-r3.pem

Then we tried to reupload the certificate, but it still gave the same message.

Support imported the pfx on my computer:

Support then uploaded some ISRG root certificate under "Certificate Authorities" but this rendered ALL the uploaded certificates unusable and we had to restore backup.

Support kinda gave up - took my certificate and tested this in a "lab" - they say they were able to upload the certificate (with no red X) and they sent me a .cer-file they told me to use, but it also gives the same message.

Anyone please help?



Added TAGs
[edited by: emmosophos at 6:44 PM (GMT -8) on 6 Jan 2022]
Parents
  • It seems to be related to PFX. It works perfectly fine with pem + key. 

    We will look into this. 

    __________________________________________________________________________________________________________________

  • Additional information: I went ahead and published the (by XG) untrusted certificate with one of my rules (IIS) and the XG presents the newly created pfx certificate to clients accessing the IIS from the outside and its showing it as valid (in chrome) and also the correct "valid-until-date" and all seems to be working fine....

  • Had same issue with SFOS 18.5.2 MR-2-Build380
    I uploaded a wildcard certificate on Sophos XG from Let's Encrypt with .cer and .pem files and also uploaded Let’s Encrypt R3 CA certificate but Sophos XG still reported the wildcard certificate as untrusted
    I also tried to use wildcard certificate in a WAF rule and was showing as valid to clients(wildcard cert was still reported as not trusted on Sophos XG)

    I then deleted the ISRG Root X1 (root CA) and Let’s Encrypt R3 (intermediate CA) from Sophos and reimported them manually copy/paste pem file(no file upload) and finally the wildcard is reported as trusted also on Sophos XG.

Reply
  • Had same issue with SFOS 18.5.2 MR-2-Build380
    I uploaded a wildcard certificate on Sophos XG from Let's Encrypt with .cer and .pem files and also uploaded Let’s Encrypt R3 CA certificate but Sophos XG still reported the wildcard certificate as untrusted
    I also tried to use wildcard certificate in a WAF rule and was showing as valid to clients(wildcard cert was still reported as not trusted on Sophos XG)

    I then deleted the ISRG Root X1 (root CA) and Let’s Encrypt R3 (intermediate CA) from Sophos and reimported them manually copy/paste pem file(no file upload) and finally the wildcard is reported as trusted also on Sophos XG.

Children
  • That is very interesting Tabuz. Im now wondering if I can simply ignore the fact that it is not trusted on the XG and simply go ahead and apply the new Let's Encrypt certificate on all my rules...?? (this includes on-prem Exchange and many other services)

  • I then deleted the ISRG Root X1 (root CA) and Let’s Encrypt R3 (intermediate CA) from Sophos and reimported them manually copy/paste pem file(no file upload) and finally the wildcard is reported as trusted also on Sophos XG.

    Ok...Thank you Tabuz - just to make this as failsafe as possible...I would proceed as follows:

    1. Delete ISRG Root X1


    2. Delete all Let’s Encrypt (yeah - a bit of a mess this ...Im afraid)



    3. Reimport from letsencrypt.org/.../ - manually copy/paste pem file(no file upload) – but which ones??


    Self-signed or Cross-signed Root Certificates??


    And also:


    For Intermediate I would assume the one signed by ISRG Root X1….??

  • I only installed the selfsigned certificates

     
    SFVH (SFOS 19.0.0 GA-Build317)  - Last (re)boot on April 21 2022
    Asus H410i-plus - Pentium 6605 Gold - 128GB M.2 PCIe NVMe SSD - 8GB - 3 ports
    [If any of my posts are helpful to you please use the 'Verify Answer' link]
  • Step 0: take a backup
    Then Delete ISRG Root X1 and all other Let's encrypt certificate
    Upload for Root: Self Signed .pem (as copy paste) and for Intermediate Signed by ISRG X1 . pem as copy paste
    You should have something looking as this:

    Then upload your Let's Encrypt domain certificate.

    The above steps are the one that I have done to have a Truested Let's encrypt wildcard certificate in my homelab.

    If you have a production environment I suggest to ask support to Sophos

  • I did all this, but unfortunately it still shows red X. I have restored the XG backup now.

  • I also tried to use wildcard certificate in a WAF rule and was showing as valid to clients(wildcard cert was still reported as not trusted on Sophos XG)

    Support says I should upgrade, but last time I tried to upgrade the firewall to newest firmware it ALL went haywire so I am VERY reluctant to do this. (We had to restore from a Veeam backup, and since this is a virtualized appliance we had big problems with network-settings - vlan truncing - not being restored)

    Now I am thinking perhaps I can simply ignore the fact that it is not trusted on the XG and just use the certificate in my WAF rules since they seems to be working just fine??