Let's Encrypt Root Zertifikat gültig bis 30.09.2021 (alte R3 / X3 Zertifikatskette)

Question

Auf einigen UTMs werden immer noch neue Let's Encrypt Zertifikate erneuert / neu ausgestellt mit der alten R3 / X3 Root Zertifikatskette. 
 Das hei&szlig;t diese sind ab morgen nicht mehr g&uuml;ltig. 
 Deaktivieren und aktivieren von Let's Encrypt hilft hier nicht. 
 Wei&szlig; jemand, wie man die UTM dazu bringt auf das X1 Zertifikat zu wechseln? 
 
 Gru&szlig; Volker

emmosophos · Accepted Answer

Hello Volker, 
 This is the update from our PM The Let&rsquo;s Encrypt chain currently includes both the ISRG Root, which is itself signed by the expiring DST Root. 
 Certificate chain 
 0 s:CN = floater.xxxxxxxx.ca 
 i:C = US, O = Let's Encrypt, CN = R3 
 1 s:C = US, O = Let's Encrypt, CN = R3 
 i:C = US, O = Internet Security Research Group, CN = ISRG Root X1 
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1 
 i:O = Digital Signature Trust Co., CN = DST Root CA X3 
 3 s:O = Digital Signature Trust Co., CN = DST Root CA X3 
 i:O = Digital Signature Trust Co., CN = DST Root CA X3 
 You can see that the chain terminates with the DST cert but includes the ISRG Root. 
 For any client that includes the ISRG cert in its built-in trusted root list, the fact that it is signed by an out-of-date cert should be irrelevant. The trust is rooted in the ISRG cert. When the client traces the certificate chain, it stops when it hits a cert that is included in its root trust list. 
 It&rsquo;s also included in the UTM&rsquo;s own HTTPS root CA list: 
 
 Regards,

VolkerZier · Answer

We use the reverse proxy to publish our (exchange) websites. 
 Start with a backup ;) Open the Webserver Protection / Certificate Management / Certificate Authority 
 Search for old entries that are not longer valid as shown in my screenshoot above and delete it. 
 After that you can renew the certificates from let's encrypt, but I don't think that it is realy neccessary. 
 regards

jk1984 · Answer

Die UTM scheint das abgelaufene Verifizierungszertifikat mit auszuliefern, obwohl das neue ebenfalls schon exisiert. L&ouml;sung/Workaround ist das L&ouml;schen dieses Zertifikats. Anschlie&szlig;end die Let's-Encrypt-Zertifikate renewen et Voila!

eporro · Answer

Disabling Digital Signature Trust Co. DST Root CA X3 and then turning the web filter off and then back on fixed the issue for me.

BAlfson · Answer

I did not delete or manually download any CAs. The expired CA was replaced in our AWS instance with a cadata pattern update at 22:37 CDT (UTC-0500) on 30 September. My lab UTM was updated 3 minutes later. It was still necessary to restart the Proxy . You can disable/enable Web Filtering in WebAdmin or run the following command as root: 
 /var/mdw/scripts/httpproxy restart 
 If you're in the Americas and you want to see if your UTM was updated. 
 zgrep 'package="cadata"' /var/log/up2date/2021/09/up2date-2021-09-30.log.gz 
 In the rest of the world, I suspect it would be: 
 zgrep 'package="cadata"' /var/log/up2date/2021/10/up2date-2021-10-01.log.gz 
 Cheers und MfG - Bob

Path #1: Trusted
1	Sent by server	xxx.domain.com Fingerprint SHA256: c6fd72b49484c6124acd17f5bff8d90bf941200e889d67a607511f72ac429dfd Pin SHA256: thxSHxnuQfCLGcjZzukPDVgDsYMm8Dc7L6KvNWLdB2I= RSA 2048 bits (e 65537) / SHA256withRSA
2	Sent by server	R3 Fingerprint SHA256: 67add1166b020ae61b8f5fc96813c04c2aa589960796865572a3c7e737613dfd Pin SHA256: jQJTbIh0grw0/1TkHSumWb+Fs0Ggogr621gT3PvPKG0= RSA 2048 bits (e 65537) / SHA256withRSA
3	In trust store	ISRG Root X1 Self-signed Fingerprint SHA256: 96bcec06264976f37460779acf28c5a7cfe8a3c0aae11a8ffcee05c0bddf08c6 Pin SHA256: C5+lpZ7tcVwmwQIMcRtPbsQtWLABXhQzejna0wHFr8M= RSA 4096 bits (e 65537) / SHA256withRSA
Path #2: Not trusted (invalid certificate [Fingerprint SHA256: 0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739])
1	Sent by server	xxx.domain.com Fingerprint SHA256: c6fd72b49484c6124acd17f5bff8d90bf941200e889d67a607511f72ac429dfd Pin SHA256: thxSHxnuQfCLGcjZzukPDVgDsYMm8Dc7L6KvNWLdB2I= RSA 2048 bits (e 65537) / SHA256withRSA
2	Sent by server	R3 Fingerprint SHA256: 67add1166b020ae61b8f5fc96813c04c2aa589960796865572a3c7e737613dfd Pin SHA256: jQJTbIh0grw0/1TkHSumWb+Fs0Ggogr621gT3PvPKG0= RSA 2048 bits (e 65537) / SHA256withRSA
3	Sent by server	ISRG Root X1 Fingerprint SHA256: 6d99fb265eb1c5b3744765fcbc648f3cd8e1bffafdc4c2f99b9d47cf7ff1c24f Pin SHA256: C5+lpZ7tcVwmwQIMcRtPbsQtWLABXhQzejna0wHFr8M= RSA 4096 bits (e 65537) / SHA256withRSA
4	In trust store	DST Root CA X3 Self-signed Fingerprint SHA256: 0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739 Pin SHA256: Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys= RSA 2048 bits (e 65537) / SHA1withRSA Valid until: Thu, 30 Sep 2021 14:01:15 UTC EXPIRED Weak or insecure signature, but no impact on root certificate

Let's Encrypt Root Zertifikat gültig bis 30.09.2021 (alte R3 / X3 Zertifikatskette)

Top Replies