Hi ..
Just wanted to list the steps I performed to finally validate LE Cert on XG 19.0.1 MR-1-Build365. I spent over a month trying to narrow down the issue and I might have read every article in this forum with no avail. I hope this helps.
The steps below direct you to deleted certs from my XG FW, so use these steps at your own risk, and perform proper backup before making any changes.
- When generating a LE Cert with certbot - make sure your certificate uses --preferred-chain "ISRG Root X1"
- This only works with the latest version of certbot so make sure you get that version installed/updated
- When you examine your cert (I'm using KeyStore Explorer below), make sure the ROOT cert is self signed and is NOT using DST Root CA
- Install this cert onto your XG, if the cert is still invalid, the issue might be related to the list of broken/old CAs installed on your FW, some of which are visible in GUI and most are not.
- Use Putty to SSH to your XG - AGAIN Proceed at your own risk as these steps delete certs - make sure to properly backup your FW.
- Change Dir to /conf/certificate/cacerts
- run ls -l
- This command will list all the certs in this directory that you might have uploaded in the past, some of which have obscure names
- Copy and paste this in a text file and search for ISRG, R3, LE and remove them if they are related to Lets Encrypt certs.
- You can use openssl to review and use "sudo rm <filename>" to delete
- Change Dir to /conf/certificate/cacerts
- After you remove all broken/old certs, you will now need to download and install the latest CA Certs used to sign your certs. Mine used the below CA certs.
- Go to https://letsencrypt.org/certificates/
- Download ISRG Root X1 pem file
- Download R3 pem file
- Add them to XG FW - do not modify the name of the cert when adding.
Hope this helps.
This thread was automatically locked due to age.
