WEB Protection certificate expired message for lets encrypt certificates

Question

Hello, 
 we use the sophos Web Protection with SSL scanning enabled. Since today afternoon we get a "certificate expired" message for websites secured with lets encrypt certificates. 
 i researched a bit and found out that today a root certificate of lets encrypt expired. i deleted the lets encrypt x3 and r3 CA certificates under Web Protection -> Filtering options->HTTPS CAs. And also deactivated the ISRG Root X1 certificate. Then restarted the Web Protection by toggling the Button under "Web Filtering". The issue still persists. 
 I also tried to clear the cache under Web Protection -> Filtering options->Misc. with no effect. 
 
 a website that is affected for example: https://letsencrypt.org/de/certificates/.org 
 other websites work quite well. 
 can someone help?

AlexRomp · Accepted Answer

Turn off the following CA from Web Protection, Filtering Options, HTTPS CAs: 
 
 Digital Signature Trust Co. DST Root CA X3 
 
 Restart the httpproxy service. 
 
 SSH to the UTM 
 sudo su 
 /var/mdw/scripts/httpproxy restart 
 
 (or just reboot the UTM) 
 Seemed to do the trick for us.

Dylan Hayes · Answer

Found an easy fix for this (Thanks AlexRomp and others) 
 1. If you see the Digital Signature Trust Co. DST Root CA X3 certificate (Web Protection -> Filtering Options -> HTTPS CAs) disable it 
 2. Turn off and back on the "Web Filtering status" button under Web Protection -> Web Filtering. 
 Now after 30 seconds SSL Filtering will back up and everything will start working again

WEB Protection certificate expired message for lets encrypt certificates

Top Replies