Auf einigen UTMs werden immer noch neue Let's Encrypt Zertifikate erneuert / neu ausgestellt mit der alten R3 / X3 Root Zertifikatskette.
Das heißt diese sind ab morgen nicht mehr gültig.
Deaktivieren und aktivieren von Let's Encrypt hilft hier nicht.
Weiß jemand, wie man die UTM dazu bringt auf das X1 Zertifikat zu wechseln?
Hey Volker, Thanks for reaching out. I have tested and the results are the same. New certificates are also signed by the old chain. We're following up with our internal team for this. I will update this post once we receive the update :)
This is the update from our PMThe Let’s Encrypt chain currently includes both the ISRG Root, which is itself signed by the expiring DST Root.
0 s:CN = floater.xxxxxxxx.ca
i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
i:O = Digital Signature Trust Co., CN = DST Root CA X3
3 s:O = Digital Signature Trust Co., CN = DST Root CA X3
You can see that the chain terminates with the DST cert but includes the ISRG Root.
For any client that includes the ISRG cert in its built-in trusted root list, the fact that it is signed by an out-of-date cert should be irrelevant. The trust is rooted in the ISRG cert. When the client traces the certificate chain, it stops when it hits a cert that is included in its root trust list.
It’s also included in the UTM’s own HTTPS root CA list:
Thank you for your fast explanation.
Kind regards,Volker Zier
At the moment the Let´s Encrypt Certificates doesn´t work with iOS/Apple devices - you´ll receive is a cert error (tried with iOS 14.8 and also 15.0).
Edge/Firefox/Chrome is working.
in our company some IPhones (ios15) work with the certificate chain, some (IOS 15 and 14) not.
It's no realy clear why.
We have the same problem. Is there already a solution from Sophos? RegardsBen
I have deleted the old certificate Authorities for R3 and X3 and all of our IOS devices are working with the new chain.
Perfekt. Vielen Dank!
Can you describe in more detail what you did and where? Unfortunately, I can't find it.
We use the reverse proxy to publish our (exchange) websites.
Start with a backup ;)Open the Webserver Protection / Certificate Management / Certificate Authority
Search for old entries that are not longer valid as shown in my screenshoot above and delete it.
After that you can renew the certificates from let's encrypt, but I don't think that it is realy neccessary.