LetsEncrypt Certificate not trusted by Spohos XG Firewall

Same problem. I even tried uploading the ISRG Root X1 certificate in the CA tab. The certificates however remain untrusted. Any ideas?

BR
Chris

This should be fixed by a hotfix. See: https://support.sophos.com/support/s/article/KB-000042993?language=en_US

I had the same issue on one firewall and had to regenerate my lets encrypt certificate, but this fixed my issue. 

I just tried what you said and it's not working for me. I have fresh, newly issued certificates and it's still saying: not trusted

I even re-uploaded the CA certificates from the Let's Encrypt web site. The X1 and R3 one, both valid certificates.

Can you share a screenshot of your certificate? Did you upload it with a private key? 

Hello LuCar Toni i have the same issue.

I already uploaded the new certificate for R3 but my let's encrypt certs are still not valid.

I have the same problem, Tried a fresh install of Sophos 18.5.1 MR-1, tried multiple times generate a new certificate from lets encrypt alos with new certbot instalation but no luck. I downloaded all root CA of lets encrypt en uploaded them on the sophos but still the same as above.

I used the new certification on a web server protection rule and the clients are working with a valid certificate but i can't chose this new certification on the webadmin or portal because it is not valid.

Thanks for your reply.

I have exactly the same behaviour and no workaround :(

Are you sure its not valid or it does not have a private key? 

Hi LuCar Toni, i upload my certificates as pfx with included private key. If I use the certificate in webserver protection every client works fine bit the xg said it‘s invalid and so I can‘t use it for vpn or the admininterface.

Same for me here, when i use the certifcate my webbrowser is telling me its valid and the sophos is still telling it's not.

I Tried some different combination with the chain when converting to pfx12 and also tried upload the cert.pem en private.key on the sophos without converting it to other extension but still no luck.

How can we check if this hotfix has been applied? I have the same issue and have tried all the workarounds here. I found another thread which suggested the DST certificate file might still in be the 

/conf/certificates/cacerts/

I have the same symptoms where I am able to use the certificate for web servers without the browser returning errors for those sites but cannot use it as the appliance certificate because the XG marks it untrusted.

How can we check if this hotfix has been applied? I have the same issue and have tried all the workarounds here. I found another thread which suggested the DST certificate file might still in be the 

/conf/certificates/cacerts/

I have the same symptoms where I am able to use the certificate for web servers without the browser returning errors for those sites but cannot use it as the appliance certificate because the XG marks it untrusted.

I am starting to understand, what the issue could be. Let me respin this further.

Does anybody can create support cases for this matter? 

Did all of you, with the issue, do a backup/restore in the past 6 months? 

Thanks LuCar Toni,

I've raised a support case. I don't think I've done a backup/restore in the past six months. I've done the relevant firmware upgrades though.

Negative, no backup and restore procedures at all. The firewall is running for almost a year now and I was just applying new firmware when offered.

Can you link me your Case ID? 

I don't know how to find it? I ddn't get a confirmation email and can't see a way to find it from the Support home page. I'm just a home user, so I'm not sure if that changes things.

Home users are not able to created tickets. We need just one ticket, so i can forward this. 

Can you please verify, you have this CA (chain)? 

letsencrypt.org/.../

Yeah, that's my imported CA. The problem still persist though, certificate not trusted. Any ideas?

Can you show us the CA, you uploaded? 

Here is my CA:

Here is my CRT:

I just noticed, that I don't have the problem on my second firewall. Here are the screenshots: