Guest User!

You are not Sophos Staff.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Error adding Let's Encrypt certificate into Certificate Authority

Hi,

When I try to upload the Let’s Encrypt Authority X3 certificate (https://letsencrypt.org/certificates/) into Certificate Authority, it gives me a generic error saying "Certificate Authority could not be uploaded". 

Looking at /log/postgres.log, there seems to be a problem with the apostrophe ( ' ) inside the .PEM or .DER file. Clearly Sophos is not handling these very well.

Will there be a fix on this any soon? Bugfix NC6557 (Unable to import Certificate in Certificate Authority) in SFOS 15.01.0 MR-3 doesn't seem to fix the problem.

Inside certificate

CN = Let's Encrypt Authority X3
O = Let's Encrypt

Output /log/postgres.log

10563 2016-07-01 00:33:16.635 GMTERROR: syntax error at or near "s" at character 190
10563 2016-07-01 00:33:16.635 GMTSTATEMENT: select substr(mergetext(caname || ','),0,length(mergetext(caname || ','))) from tblrootcainfo where companyid in (select caid from tblrootcadetail where rtrim(subject,chr(10))='/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X1') and caname || '.pem' != 'test.pem';
4000 2016-07-01 00:33:16.652 GMTERROR: syntax error at or near "s" at character 53
4000 2016-07-01 00:33:16.652 GMTSTATEMENT: insert into tblrootcadetail values(240,'/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X1')
4000 2016-07-01 00:33:16.653 GMTERROR: current transaction is aborted, commands ignored until end of transaction block
4000 2016-07-01 00:33:16.653 GMTSTATEMENT: SELECT txid_current()



This thread was automatically locked due to age.
  • Hi,

    10563 2016-07-01 00:33:16.635 GMTERROR: syntax error at or near "s" at character 19010563 2016-07-01 00:33:16.635 GMTSTATEMENT: select substr(mergetext(caname || ','),0,length(mergetext(caname || ','))) from tblrootcainfo where companyid in (select caid from tblrootcadetail where rtrim(subject,chr(10))='/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X1') and caname || '.pem' != 'test.pem'

    The lines show a syntax error which is caused when there is a special character apostrophe present in certificate. I was able to recreate it in our labs and this is taken into consideration in NC-8869.

    Logs during our testing :

    30240 2016-07-06 07:19:02.302 GMTERROR:  syntax error at or near "s" at character 190
    30240 2016-07-06 07:19:02.302 GMTSTATEMENT:  select substr(mergetext(caname || ','),0,length(mergetext(caname || ','))) from tblrootcainfo where companyid in (select caid from tblrootcadetail where rtrim(subject,chr(10))='/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3') and caname || '.pem' != 'test.pem';
    14470 2016-07-06 07:19:02.360 GMTERROR:  syntax error at or near "s" at character 52
    14470 2016-07-06 07:19:02.360 GMTSTATEMENT:  insert into tblrootcadetail values(63,'/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3')
    14470 2016-07-06 07:19:02.363 GMTERROR:  current transaction is aborted, commands ignored until end of transaction block
    14470 2016-07-06 07:19:02.363 GMTSTATEMENT:  SELECT txid_current()

    Thanks for your patience.

  • Although I don't see any error in postgres.log I too can't add the Let's Encrypt Root or Intermediate certs.

  • I tried to upload the Root CA "Let's Encrypt" and the error is this one from validationError.log


    ********** Entity json validation log:27-10-2016  18:41:7 Objectname=system::certificateauthority

        => Validation start for: ___component

            - Validating 'validateValidAndInvalidInput' for type SCALAR

        => Validation start for: APIVersion

            - Validating 'validateValidAndInvalidInput' for type SCALAR

        => Validation start for: cacertfile

            - Validating 'require' : Result=false : Value should not be null.

        => Validation start for: uploadcaname

            - Inside functin Validating type : SCALAR,STRING

            - Validating 'datatype' : Result=true

            - Validating 'require' : Result=true

            - Validating 'validateValidAndInvalidInput' for type SCALAR

            - validflag result = true,funcname=validateInputWithValidCharacters($entityJSON->{$key},$regexIndex,'')

            - Validating 'validateInputWithValidCharacters' : Result=true

        => Validation start for: currentlyloggedinuserid

            - Validating 'validateValidAndInvalidInput' for type SCALAR

        => Validation start for: ___serverprotocol

            - Validating 'validateValidAndInvalidInput' for type SCALAR

        => Validation start for: ___username

            - Validating 'validateValidAndInvalidInput' for type SCALAR

        => Validation start for: certformat

            - Inside functin Validating type : SCALAR,STRING

            - Validating 'datatype' : Result=true

            - Validating 'validateValidAndInvalidInput' for type SCALAR

        => Validation start for: ___serverip

            - Validating 'validateValidAndInvalidInput' for type SCALAR

        => Validation start for: cakeyfile

        => Validation start for: transactionid

            - Validating 'validateValidAndInvalidInput' for type SCALAR

        => Validation start for: currentlyloggedinuserip

            - Validating 'validateValidAndInvalidInput' for type SCALAR

        => Validation start for: ___serverport

            - Validating 'validateValidAndInvalidInput' for type SCALAR

        => Validation start for: mode

            - Validating 'validateValidAndInvalidInput' for type SCALAR

        => Validation start for: isprivate

            - Inside functin Validating type : SCALAR,STRING

            - Validating 'datatype' : Result=true

            - Validating 'validateValidAndInvalidInput' for type SCALAR

  • Yes, that's the same error I get when uploading any certificate, also one signed by the Let's Encrypt Intermediate X3 CA.