Let's Encrypt Root Zertifikat gültig bis 30.09.2021 (alte R3 / X3 Zertifikatskette)

Question

Auf einigen UTMs werden immer noch neue Let's Encrypt Zertifikate erneuert / neu ausgestellt mit der alten R3 / X3 Root Zertifikatskette. 
 Das hei&szlig;t diese sind ab morgen nicht mehr g&uuml;ltig. 
 Deaktivieren und aktivieren von Let's Encrypt hilft hier nicht. 
 Wei&szlig; jemand, wie man die UTM dazu bringt auf das X1 Zertifikat zu wechseln? 
 
 Gru&szlig; Volker

emmosophos · Accepted Answer

Hello Volker, 
 This is the update from our PM The Let&rsquo;s Encrypt chain currently includes both the ISRG Root, which is itself signed by the expiring DST Root. 
 Certificate chain 
 0 s:CN = floater.xxxxxxxx.ca 
 i:C = US, O = Let's Encrypt, CN = R3 
 1 s:C = US, O = Let's Encrypt, CN = R3 
 i:C = US, O = Internet Security Research Group, CN = ISRG Root X1 
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1 
 i:O = Digital Signature Trust Co., CN = DST Root CA X3 
 3 s:O = Digital Signature Trust Co., CN = DST Root CA X3 
 i:O = Digital Signature Trust Co., CN = DST Root CA X3 
 You can see that the chain terminates with the DST cert but includes the ISRG Root. 
 For any client that includes the ISRG cert in its built-in trusted root list, the fact that it is signed by an out-of-date cert should be irrelevant. The trust is rooted in the ISRG cert. When the client traces the certificate chain, it stops when it hits a cert that is included in its root trust list. 
 It&rsquo;s also included in the UTM&rsquo;s own HTTPS root CA list: 
 
 Regards,

VolkerZier · Answer

We use the reverse proxy to publish our (exchange) websites. 
 Start with a backup ;) Open the Webserver Protection / Certificate Management / Certificate Authority 
 Search for old entries that are not longer valid as shown in my screenshoot above and delete it. 
 After that you can renew the certificates from let's encrypt, but I don't think that it is realy neccessary. 
 regards

jk1984 · Answer

Die UTM scheint das abgelaufene Verifizierungszertifikat mit auszuliefern, obwohl das neue ebenfalls schon exisiert. L&ouml;sung/Workaround ist das L&ouml;schen dieses Zertifikats. Anschlie&szlig;end die Let's-Encrypt-Zertifikate renewen et Voila!

eporro · Answer

Disabling Digital Signature Trust Co. DST Root CA X3 and then turning the web filter off and then back on fixed the issue for me.

BAlfson · Answer

I did not delete or manually download any CAs. The expired CA was replaced in our AWS instance with a cadata pattern update at 22:37 CDT (UTC-0500) on 30 September. My lab UTM was updated 3 minutes later. It was still necessary to restart the Proxy . You can disable/enable Web Filtering in WebAdmin or run the following command as root: 
 /var/mdw/scripts/httpproxy restart 
 If you're in the Americas and you want to see if your UTM was updated. 
 zgrep 'package="cadata"' /var/log/up2date/2021/09/up2date-2021-09-30.log.gz 
 In the rest of the world, I suspect it would be: 
 zgrep 'package="cadata"' /var/log/up2date/2021/10/up2date-2021-10-01.log.gz 
 Cheers und MfG - Bob

Let's Encrypt Root Zertifikat gültig bis 30.09.2021 (alte R3 / X3 Zertifikatskette)

Top Replies