DPI-SSL not able to negotiate with websites using ISRG Root X1

Description

When trying to access websites that are using ISRG Root X1 as root certificate through client DPI-SSL, websites fail to load or sometimes browsers show a security warning. 

This has been primarily seen with sites using Let's Encrypt as their CA however there have been a few cases using CloudFlare too.

Cause

Security warnings on https sites when certificate is resigned by SonicWall DPI SSL are caused due to failure in certificate chain or if any of the certificate in the chain is expired or if the root certificate is not available in the firewall repository.

Let's Encrypt saw one of its root certificates expired recently, however to correct the issue they obtained a cross-signature from ISRG Root X1 for its own certificate that’s valid for longer than the signing root. Because of this change some clients may need to update or install this new certificate.
Refer: https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/

Resolution

If Client DPI SSL is in use please follow below steps:

  1. Verify if ISRG root X1 certificate is available in firewall repository by going to Manage |  System Setup | Appliance | Certificate | select View style-All certificates
  2. If certificate is available, check if it's expired.
    1. If it's not expired, rebooting the firewall should fix the issue.
  3. If certificate is not available or expired, please consider importing the Let's Encrypt root certificate and reboot the firewall.

Follow below steps to import certificate:

  1. Download the TXT file: https://letsencrypt.org/certs/isrgrootx1.pem.txt
  2. Remove .txt, download .pem file and upload on firewall under  Manage |  System Setup | Appliance | Certificate 
  3. Reboot the firewall

If DPI-SSL is not in use, the issue is on the client itself and the browser's certificate store.

The following link provides some options under the "Clients (browsers etc)" section to force this rebinding and make the client work correctly https://docs.certifytheweb.com/docs/kb/kb-202109-letsencrypt/#switching-to-chain-2-legacy

Related Articles

  • SonicOS 8.1.0 FAQ
    Read More
  • SonicWall GEN8 TZs and GEN8 NSas Settings Migration
    Read More
  • Getting started with SonicWall firewalls
    Read More

Categories

Firewalls
SonicWall SuperMassive 9000 Series
Firewalls
NSa Series
Client/Server DPI-SSL
Firewalls
NSsp Series
Client/Server Anti Virus
Firewalls
TZ Series
DPI-SSL
not finding your answers?
Ask the Community