Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • +4 person also asked this people also asked this
  • Locked Locked
  • Replies 42 replies
  • Answers 3 answers
  • Subscribers 38 subscribers
  • Views 9632 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

LetsEncrypt Certificate not trusted by Spohos XG Firewall

Posbis

Hi folks

If create a Lets Encrypt certificate (pfx, fullchain cert) and uploaded it to my freshly installed Sophos XG (SFOS 18.5.1 MR-1-Build326).

The certificate is uploaded but shows up as untrusted (red cross). 

The chain of the certificate is: ISRG Root X1 -> R3 -> My Certificate

I search the CA Certs for R3 and it only shows two not related R3 certificates. It does not show an R3 only CA certificate.

I tried to upload the R3 CA certificate from the LetsEncrypt web site but Sophos XG tells me that there is already a certificate.

Can anybody help ? What am I doing wrong ?

Regards,

Oliver



This thread was automatically locked due to age.
Parents
  • 0

    You guys shouldn't mind to much about the certificate name(s) of let's encrypt.
    If you stick with defaults during import everything is as it should be.

    - The ISRG Root X1 certificate is natively already installed in the XG Firewall. 
    - When importing the "R3" (Yes it's name is R3) as Certificate Authority (yes, authority, not as certificate) the Name is automatically filled out as "R3". 

    Finally (Yes, finally and NOT at first!) you can import your own certificate. 

    HERE the name is important. give it the name to which it has been issued by Let's encrypt, usually your domain-name. 
    If you name it different ("My Certificate", "Lets encrypt Cert" or something else) it won't be validated successfully. 

    YOUR certificate has a name - and you have to use that name, nothing else. 

    If you do that, it just works. 

  • 0 in reply to Daniel Manner

    the name is important. give it the name to which it has been issued by Let's encrypt, usually your domain-name. 
    If you name it different ("My Certificate", "Lets encrypt Cert" or something else) it won't be validated successfully

    Not really... I uploaded CA many times and then certificate with issued name. It only worked when I changed the name

  • 0 in reply to Filippo Bastianello

    I can confirm this and reproduce the same behavior on ALL appliances. If you do not change the name of the Let's Encrypt CA certificate, all your Let's Encrypt certificates will remain untrusted.

  • 0 in reply to Saarbruecken

    So then, I got a special snowflake appliance that's working as expected :P 







    my certificate name is exactly as issued and declared valid...

  • 0 in reply to Daniel Manner

    That only means sometimes it works, sometimes not. Which is not correct, anyway

Reply Children
No Data
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?