Sophos UTM: Decommissioning of obsolete URL categorization services CFFS. Click here for important info.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Let's Encrypt Root Zertifikat gültig bis 30.09.2021 (alte R3 / X3 Zertifikatskette)

Auf einigen UTMs werden immer noch neue Let's Encrypt Zertifikate erneuert / neu ausgestellt mit der alten R3 / X3 Root Zertifikatskette.

Das heißt diese sind ab morgen nicht mehr gültig.

Deaktivieren und aktivieren von Let's Encrypt hilft hier nicht.

Weiß jemand, wie man die UTM dazu bringt auf das X1 Zertifikat zu wechseln? 

Gruß Volker

This thread was automatically locked due to age.
  • FormerMember
    0 FormerMember

    Hey Volker, Thanks for reaching out. 

    I have tested and the results are the same. New certificates are also signed by the old chain. 

    We're following up with our internal team for this. I will update this post once we receive the update :) 

  • Hello Volker,

    This is the update from our PM

    The Let’s Encrypt chain currently includes both the ISRG Root, which is itself signed by the expiring DST Root.

    Certificate chain

     0 s:CN =

       i:C = US, O = Let's Encrypt, CN = R3

     1 s:C = US, O = Let's Encrypt, CN = R3

       i:C = US, O = Internet Security Research Group, CN = ISRG Root X1

     2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1

       i:O = Digital Signature Trust Co., CN = DST Root CA X3

     3 s:O = Digital Signature Trust Co., CN = DST Root CA X3

       i:O = Digital Signature Trust Co., CN = DST Root CA X3

    You can see that the chain terminates with the DST cert but includes the ISRG Root.

    For any client that includes the ISRG cert in its built-in trusted root list, the fact that it is signed by an out-of-date cert should be irrelevant. The trust is rooted in the ISRG cert. When the client traces the certificate chain, it stops when it hits a cert that is included in its root trust list.

    It’s also included in the UTM’s own HTTPS root CA list:


    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Thank you for your fast explanation.

    Kind regards,
    Volker Zier

  • At the moment the Let´s Encrypt Certificates doesn´t work with iOS/Apple devices - you´ll receive is a cert error (tried with iOS 14.8 and also 15.0).

    Edge/Firefox/Chrome is working.


Reply Children