This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Adding Let's Encrypt Root CA

Hi. I am trying to add the Let's Encrypt Intermediate Certificates and they are failing to import. I was able to import the ISRG Root X1 certificate but not he intermediate certificates. My certificate is signed by the Let’s Encrypt Authority X1 and I want to use this for my admin portal and cannot select it because it doesn't trust the root CA.

https://letsencrypt.org/certificates/

I get a generic "Certificate Authority could not be uploaded" error without anything in the logs.

I am hoping this is added in the future (since all modern browsers now trust it) however I would like to add it myself in the interim.

Thanks!

This thread was automatically locked due to age.

0 sachingurung over 9 years ago

Hi Timonthy,

It's interesting to find you using Let’s Encrypt Authority X1, to your interest, I tried to import the ISRG Root X1 [.pem format] and it was successful !!

PFA screenshot

You can try again with .pem format, I believe it will be uploaded.

Regards

Sachin Gurung
Cancel
Vote Up 0 Vote Down

Cancel

0 JukkaHyödynmaa over 9 years ago in reply to sachingurung

I have the same problem. When trying to import Let's Encrypt intermediate certificates (X1 through X4) Sophos XG gives the error "Certificate Authority could not be uploaded".

It seems that Sophos XG has problem importing certificate into database when there is an apostrophe in the name of the certificate subject.

I took a look at appliances /log/postgres.log and found this error message:

16370 2016-06-13 19:32:28.027 GMTERROR:  syntax error at or near "s" at character 190               
16370 2016-06-13 19:32:28.027 GMTSTATEMENT:  select substr(mergetext(caname || ','),0,length(mergetext(caname || ','))) from tblrootcainfo where companyid in (select caid from tblrootcadetail where rtrim(subject,chr(10))='/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3') and caname || '.pem' != 'Lets Encrypt X3.pem';                                                                              
31253 2016-06-13 19:32:28.106 GMTERROR:  syntax error at or near "s" at character 53                
31253 2016-06-13 19:32:28.106 GMTSTATEMENT:  insert into tblrootcadetail values(245,'/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3')                                                              
31253 2016-06-13 19:32:28.111 GMTERROR:  current transaction is aborted, commands ignored until end of transaction block                                                                                
31253 2016-06-13 19:32:28.111 GMTSTATEMENT:  SELECT txid_current()

0 MarcoScholl over 9 years ago in reply to JukkaHyödynmaa

nive you have found a sql injection bug in year 2016. sophos 2016!!! fix this bug and use a library for sql communication prepare statement support to prevent!!!
Cancel
Vote Up 0 Vote Down

Cancel
0 JonathanHouston over 8 years ago in reply to sachingurung

HI Sachin,

the ISRG Root X1 is the Root CA, however to use the free SSL certificates we still need to install the Let's Encrypt Intermediate CA certificates, which is failing because of the apostrophe in the name.

the code for importing the certificate needs to be adapted to allow for the "single quote marks" in the certicate.
Cancel
Vote Up 0 Vote Down

Cancel
0 DrewHammond over 8 years ago

I hope a fix for the SQL injection makes it into the next release. Yikes...
Cancel
Vote Up 0 Vote Down

Cancel