SERVER-WEBAPP Lets Encrypt SSL certificate issuer detected - Some sites not loading

As you can see, the IPS has a Pattern Set which blocks all sites issued by Lets Encrypt.

I assume, you have this rule enabled in Policy 7, correct? Do you use a 2U Unit (XG550, 650, 750) ? 

You need to disable (untick) it in this Policy.  

Yes you're totally correct.

We have a XG430.

We currently have this set in IPS:

Does the "SERVER-WEBAPP Lets Encrypt SSL certificate issuer detected" policy replace this? as the Allow 'OpenSSL Alternative Chains Certificate Forgery Policy Bypass' sig doesn't seem to exist anymore.

Thanks for your speedy response 

Mh, i do not know the answer to this. Maybe ask the Sophos Support for a valid answer. 

But the Lets Encrypt IPS Pattern is kinda new to the "smaller" appliances. First time saw it on a XG750. Seems like this rule got deployed to the smaller appliances. 

Just add this Rule to the allow rule. 

I am seeing this too, on an XG105.

Can you explain "Just add this Rule to the allow rule."

Add which rule where?

The point is, there is no "easy" way to exclude one simple rule out of the predefined rule set. 

You could switch in the IPS policy rules to "Select individual signature" and select everything except the Lets Encrypt rule. This is not simple and takes couple of minutes. 

I am currently trying to build up a XML API to do this task. There are couple of changes in the pipeline for XGv17.5 and 18.0 to address this. 

We are talking about the alerts (so basically the alerts will appear, the session is allowed). 

Would recommend you guys to open a Case as business customers to give the support a higher visibility for this "reporting issue". 

You're right.

I did dig deeper and to manually scroll down to 'w' (Web-Server) to get to Let's Encrypt is a mighty pain.

Let's hope their is improvement with v17.5. If not, we'll have to make a feature request.

LuCar Toni said:

The point is, there is no "easy" way to exclude one simple rule out of the predefined rule set. 

You could switch in the IPS policy rules to "Select individual signature" and select everything except the Lets Encrypt rule. This is not simple and takes couple of minutes. 

I am currently trying to build up a XML API to do this task. There are couple of changes in the pipeline for XGv17.5 and 18.0 to address this. 

We are talking about the alerts (so basically the alerts will appear, the session is allowed). 

Would recommend you guys to open a Case as business customers to give the support a higher visibility for this "reporting issue". 

Please send me a PM with your support case ID for tracking purposes as well please.

The easier way is to create an allow entry before the block rule (very similar to firewall rules where earlier entries take precedence).

Step-by-step:  Add/clone the IPS policy (I usually start with the lantowan_general IPS policy) and edit it. 

Now create an allow entry before the block rule which in this case would include "Select Individual Signature" and Category: "Web Services and Applications" and Severity: 4-Minor then check SID:43496 "SERVER-WEBAPP Lets Encrypt SSL certificate issuer detected" and name the rule, change action to "bypass session" then save.

Now apply your new IPS policy to any to_WAN firewall rules replacing any existing policy (e.g.s. "Allow All", ""lantowan_general" or "LAN TO WAN").

Thanks for sharing this! 

Can you shortly explain if bypass session will not report anymore? 

Because the Rule 43496 is set to "allow". So basically the session / packet is allowed but the reporting will get messy.