Auf einigen UTMs werden immer noch neue Let's Encrypt Zertifikate erneuert / neu ausgestellt mit der alten R3 / X3 Root Zertifikatskette.
Das heißt diese sind ab morgen nicht mehr gültig.
Deaktivieren und aktivieren von Let's Encrypt hilft hier nicht.
Weiß jemand, wie man die UTM dazu bringt auf das X1 Zertifikat zu wechseln?
We use the reverse proxy to publish our (exchange) websites.
Start with a backup ;)Open the Webserver Protection / Certificate Management / Certificate Authority
Search for old entries that are not longer…
Hey Volker, Thanks for reaching out. I have tested and the results are the same. New certificates are also signed by the old chain. We're following up with our internal team for this. I will update this post once we receive the update :)
This is the update from our PMThe Let’s Encrypt chain currently includes both the ISRG Root, which is itself signed by the expiring DST Root.
0 s:CN = floater.xxxxxxxx.ca
i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
i:O = Digital Signature Trust Co., CN = DST Root CA X3
3 s:O = Digital Signature Trust Co., CN = DST Root CA X3
You can see that the chain terminates with the DST cert but includes the ISRG Root.
For any client that includes the ISRG cert in its built-in trusted root list, the fact that it is signed by an out-of-date cert should be irrelevant. The trust is rooted in the ISRG cert. When the client traces the certificate chain, it stops when it hits a cert that is included in its root trust list.
It’s also included in the UTM’s own HTTPS root CA list:
Thank you for your fast explanation.
Kind regards,Volker Zier
At the moment the Let´s Encrypt Certificates doesn´t work with iOS/Apple devices - you´ll receive is a cert error (tried with iOS 14.8 and also 15.0).
Edge/Firefox/Chrome is working.
in our company some IPhones (ios15) work with the certificate chain, some (IOS 15 and 14) not.
It's no realy clear why.
We have the same problem. Is there already a solution from Sophos? RegardsBen
I have deleted the old certificate Authorities for R3 and X3 and all of our IOS devices are working with the new chain.
Perfekt. Vielen Dank!
Can you describe in more detail what you did and where? Unfortunately, I can't find it.
Search for old entries that are not longer valid as shown in my screenshoot above and delete it.
After that you can renew the certificates from let's encrypt, but I don't think that it is realy neccessary.
You just delete those CN R3 - and no, you don't need to renew LE certs.
To get SSL Decrypt and Scan working. I had to disable the "Digital Signature Trust Co. DST Root CA X3" cert under Web Protection > Filtering Options > HTTPS CAs. Then download the two certs "ISRG Root X1" and "Let’s Encrypt R3" from Chain of Trust - Let's Encrypt (letsencrypt.org) in PEM format. Upload them to Web Protection > Filtering Options > HTTPS CAs. Once I did this sites started working again.
Hmm bei mir funktioniert genau das nicht. Er sagt immer noch Zertifikats Error. Noch eine Idee?
Thanks, nfawcett. But, like Lesmona2020 stated,that didn't work for us. Still getting sites with certificate errors. example: typetastic.com
ZertifikatsError auf dem Proxy (WebProtection) oder dem Reverse Proxy (WebServer Protection) ?
On the proxy (web protection). DO we need to restart the httpproxy service?
So what is the error shown?
"certificate has expired"
I have the same issue, even after following what nfawcett said.
check intermediate certificate. By whom it has been issued?
Disabling Digital Signature Trust Co. DST Root CA X3 and then turning the web filter off and then back on fixed the issue for me.