SERVER-WEBAPP Lets Encrypt SSL certificate issuer detected - Some sites not loading

As you can see, the IPS has a Pattern Set which blocks all sites issued by Lets Encrypt.

I assume, you have this rule enabled in Policy 7, correct? Do you use a 2U Unit (XG550, 650, 750) ? 

You need to disable (untick) it in this Policy.  

Yes you're totally correct.

We have a XG430.

We currently have this set in IPS:

Does the "SERVER-WEBAPP Lets Encrypt SSL certificate issuer detected" policy replace this? as the Allow 'OpenSSL Alternative Chains Certificate Forgery Policy Bypass' sig doesn't seem to exist anymore.

Thanks for your speedy response 

Mh, i do not know the answer to this. Maybe ask the Sophos Support for a valid answer. 

But the Lets Encrypt IPS Pattern is kinda new to the "smaller" appliances. First time saw it on a XG750. Seems like this rule got deployed to the smaller appliances. 

Just add this Rule to the allow rule. 

I am seeing this too, on an XG105.

Can you explain "Just add this Rule to the allow rule."

Add which rule where?

The point is, there is no "easy" way to exclude one simple rule out of the predefined rule set. 

You could switch in the IPS policy rules to "Select individual signature" and select everything except the Lets Encrypt rule. This is not simple and takes couple of minutes. 

I am currently trying to build up a XML API to do this task. There are couple of changes in the pipeline for XGv17.5 and 18.0 to address this. 

We are talking about the alerts (so basically the alerts will appear, the session is allowed). 

Would recommend you guys to open a Case as business customers to give the support a higher visibility for this "reporting issue". 

You're right.

I did dig deeper and to manually scroll down to 'w' (Web-Server) to get to Let's Encrypt is a mighty pain.

Let's hope their is improvement with v17.5. If not, we'll have to make a feature request.

LuCar Toni said:

The point is, there is no "easy" way to exclude one simple rule out of the predefined rule set. 

You could switch in the IPS policy rules to "Select individual signature" and select everything except the Lets Encrypt rule. This is not simple and takes couple of minutes. 

I am currently trying to build up a XML API to do this task. There are couple of changes in the pipeline for XGv17.5 and 18.0 to address this. 

We are talking about the alerts (so basically the alerts will appear, the session is allowed). 

Would recommend you guys to open a Case as business customers to give the support a higher visibility for this "reporting issue". 

Please send me a PM with your support case ID for tracking purposes as well please.

LuCar Toni said:

The point is, there is no "easy" way to exclude one simple rule out of the predefined rule set. 

You could switch in the IPS policy rules to "Select individual signature" and select everything except the Lets Encrypt rule. This is not simple and takes couple of minutes. 

I am currently trying to build up a XML API to do this task. There are couple of changes in the pipeline for XGv17.5 and 18.0 to address this. 

We are talking about the alerts (so basically the alerts will appear, the session is allowed). 

Would recommend you guys to open a Case as business customers to give the support a higher visibility for this "reporting issue". 

Please send me a PM with your support case ID for tracking purposes as well please.