Auf einigen UTMs werden immer noch neue Let's Encrypt Zertifikate erneuert / neu ausgestellt mit der alten R3 / X3 Root Zertifikatskette.
Das heißt diese sind ab morgen nicht mehr gültig.
Deaktivieren und aktivieren von Let's Encrypt hilft hier nicht.
Weiß jemand, wie man die UTM dazu bringt auf das X1 Zertifikat zu wechseln?
Hey Volker, Thanks for reaching out. I have tested and the results are the same. New certificates are also signed by the old chain. We're following up with our internal team for this. I will update this post once we receive the update :)
This is the update from our PMThe Let’s Encrypt chain currently includes both the ISRG Root, which is itself signed by the expiring DST Root.
0 s:CN = floater.xxxxxxxx.ca
i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
i:O = Digital Signature Trust Co., CN = DST Root CA X3
3 s:O = Digital Signature Trust Co., CN = DST Root CA X3
You can see that the chain terminates with the DST cert but includes the ISRG Root.
For any client that includes the ISRG cert in its built-in trusted root list, the fact that it is signed by an out-of-date cert should be irrelevant. The trust is rooted in the ISRG cert. When the client traces the certificate chain, it stops when it hits a cert that is included in its root trust list.
It’s also included in the UTM’s own HTTPS root CA list:
Thank you for your fast explanation.
Kind regards,Volker Zier