Let's Encrypt Root Zertifikat gültig bis 30.09.2021 (alte R3 / X3 Zertifikatskette)

Auf einigen UTMs werden immer noch neue Let's Encrypt Zertifikate erneuert / neu ausgestellt mit der alten R3 / X3 Root Zertifikatskette.

Das heißt diese sind ab morgen nicht mehr gültig.

Deaktivieren und aktivieren von Let's Encrypt hilft hier nicht.

Weiß jemand, wie man die UTM dazu bringt auf das X1 Zertifikat zu wechseln? 

Gruß Volker

Parents
  • Hey Volker, Thanks for reaching out. 

    I have tested and the results are the same. New certificates are also signed by the old chain. 

    We're following up with our internal team for this. I will update this post once we receive the update :) 

    Devesh Mishra
    Global Community Support Engineer | Sophos Technical Support
    Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question, use the 'Verify Answer' link.
  • Hello Volker,

    This is the update from our PM

    The Let’s Encrypt chain currently includes both the ISRG Root, which is itself signed by the expiring DST Root.

    Certificate chain

     0 s:CN = floater.xxxxxxxx.ca

       i:C = US, O = Let's Encrypt, CN = R3

     1 s:C = US, O = Let's Encrypt, CN = R3

       i:C = US, O = Internet Security Research Group, CN = ISRG Root X1

     2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1

       i:O = Digital Signature Trust Co., CN = DST Root CA X3

     3 s:O = Digital Signature Trust Co., CN = DST Root CA X3

       i:O = Digital Signature Trust Co., CN = DST Root CA X3

    You can see that the chain terminates with the DST cert but includes the ISRG Root.

    For any client that includes the ISRG cert in its built-in trusted root list, the fact that it is signed by an out-of-date cert should be irrelevant. The trust is rooted in the ISRG cert. When the client traces the certificate chain, it stops when it hits a cert that is included in its root trust list.

    It’s also included in the UTM’s own HTTPS root CA list:

    Regards,


     
    Emmanuel (EmmoSophos)
    Community Support Engineer | Sophos Technical Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Thank you for your fast explanation.

    Kind regards,
    Volker Zier

Reply Children
No Data