Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 15 replies
  • Answers 2 answers
  • Subscribers 42 subscribers
  • Views 9027 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Let's encrypt certificate woes - "Certificate authority: Invalid or not installed"

h3ctic

Too many cooks and something has become messy with certificates on our XG and I need some help to get this sorted.

(SFOS 18.0.5 MR-5-Build586) virtual

Trying to upload a pfx-certificate generated by our certbot gives the dreaded red X. Mousing over the red X it says: 

Certificate authority: Invalid or not installed
Issuer /C=US/O=Let's Encrypt/CN=R3

When I sort "Certificate Authorities" on "Type" I find the following certificates "Uploaded":
Name
Subject
Valid from
Valid until
Type
Manage
lets-encrypt-r3
 
/C=US/O=Let's Encrypt/CN=R3
2020-09-04
2025-09-15
Uploaded
admin7_CA_60F4B3F1
 
/C=US/O=Let's Encrypt/CN=R3
2020-09-04
2025-09-15
Uploaded
admin_CA_6075D377
 
/C=US/O=Let's Encrypt/CN=R3
2020-10-07
2021-09-29
Uploaded
LetsEncrypt
 
/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
2016-10-06
2021-10-06
Uploaded

I have opened a support-case regarding this and they did the same as I tried....we took a backup, deleted all the above except the first one. Then downloaded and updated the first one with this:

https://letsencrypt.org/certs/lets-encrypt-r3.pem

Then we tried to reupload the certificate, but it still gave the same message.

Support imported the pfx on my computer:

Support then uploaded some ISRG root certificate under "Certificate Authorities" but this rendered ALL the uploaded certificates unusable and we had to restore backup.

Support kinda gave up - took my certificate and tested this in a "lab" - they say they were able to upload the certificate (with no red X) and they sent me a .cer-file they told me to use, but it also gives the same message.

Anyone please help?



This thread was automatically locked due to age.
Parents
  • 0

    It seems to be related to PFX. It works perfectly fine with pem + key. 

    We will look into this. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Additional information: I went ahead and published the (by XG) untrusted certificate with one of my rules (IIS) and the XG presents the newly created pfx certificate to clients accessing the IIS from the outside and its showing it as valid (in chrome) and also the correct "valid-until-date" and all seems to be working fine....

  • 0 in reply to h3ctic

    Had same issue with SFOS 18.5.2 MR-2-Build380
    I uploaded a wildcard certificate on Sophos XG from Let's Encrypt with .cer and .pem files and also uploaded Let’s Encrypt R3 CA certificate but Sophos XG still reported the wildcard certificate as untrusted
    I also tried to use wildcard certificate in a WAF rule and was showing as valid to clients(wildcard cert was still reported as not trusted on Sophos XG)

    I then deleted the ISRG Root X1 (root CA) and Let’s Encrypt R3 (intermediate CA) from Sophos and reimported them manually copy/paste pem file(no file upload) and finally the wildcard is reported as trusted also on Sophos XG.

  • 0 in reply to Tabuz

    That is very interesting Tabuz. Im now wondering if I can simply ignore the fact that it is not trusted on the XG and simply go ahead and apply the new Let's Encrypt certificate on all my rules...?? (this includes on-prem Exchange and many other services)

Reply
  • 0 in reply to Tabuz

    That is very interesting Tabuz. Im now wondering if I can simply ignore the fact that it is not trusted on the XG and simply go ahead and apply the new Let's Encrypt certificate on all my rules...?? (this includes on-prem Exchange and many other services)

Children
No Data
Unfiltered HTML