Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • +4 person also asked this people also asked this
  • Locked Locked
  • Replies 42 replies
  • Answers 3 answers
  • Subscribers 38 subscribers
  • Views 9660 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

LetsEncrypt Certificate not trusted by Spohos XG Firewall

Posbis

Hi folks

If create a Lets Encrypt certificate (pfx, fullchain cert) and uploaded it to my freshly installed Sophos XG (SFOS 18.5.1 MR-1-Build326).

The certificate is uploaded but shows up as untrusted (red cross). 

The chain of the certificate is: ISRG Root X1 -> R3 -> My Certificate

I search the CA Certs for R3 and it only shows two not related R3 certificates. It does not show an R3 only CA certificate.

I tried to upload the R3 CA certificate from the LetsEncrypt web site but Sophos XG tells me that there is already a certificate.

Can anybody help ? What am I doing wrong ?

Regards,

Oliver



This thread was automatically locked due to age.
Parents
  • 0

    You guys shouldn't mind to much about the certificate name(s) of let's encrypt.
    If you stick with defaults during import everything is as it should be.

    - The ISRG Root X1 certificate is natively already installed in the XG Firewall. 
    - When importing the "R3" (Yes it's name is R3) as Certificate Authority (yes, authority, not as certificate) the Name is automatically filled out as "R3". 

    Finally (Yes, finally and NOT at first!) you can import your own certificate. 

    HERE the name is important. give it the name to which it has been issued by Let's encrypt, usually your domain-name. 
    If you name it different ("My Certificate", "Lets encrypt Cert" or something else) it won't be validated successfully. 

    YOUR certificate has a name - and you have to use that name, nothing else. 

    If you do that, it just works. 

  • 0 in reply to Daniel Manner

    Didn’t worked for me. Can’t name my wildcard like *.domain.tld

  • 0 in reply to Lukas Lindner

    wildcards are always an alternative name of the CA.

    You have to use the common name (CN) of the certificate.

Reply Children
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?