DPI-SSL not able to negotiate with websites using ISRG Root X1
10/14/2021
11 People found this article helpful
418,349 Views
Description
When trying to access websites that are using ISRG Root X1 as root certificate through client DPI-SSL, websites fail to load or sometimes browsers show a security warning.
This has been primarily seen with sites using Let's Encrypt as their CA however there have been a few cases using CloudFlare too.
Cause
Security warnings on https sites when certificate is resigned by SonicWall DPI SSL are caused due to failure in certificate chain or if any of the certificate in the chain is expired or if the root certificate is not available in the firewall repository.
Let's Encrypt saw one of its root certificates expired recently, however to correct the issue they obtained a cross-signature from ISRG Root X1 for its own certificate that’s valid for longer than the signing root. Because of this change some clients may need to update or install this new certificate.
Refer: https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/
Resolution
If Client DPI SSL is in use please follow below steps:
- Verify if ISRG root X1 certificate is available in firewall repository by going to Manage | System Setup | Appliance | Certificate | select View style-All certificates
- If certificate is available, check if it's expired.
- If it's not expired, rebooting the firewall should fix the issue.
- If certificate is not available or expired, please consider importing the Let's Encrypt root certificate and reboot the firewall.
Follow below steps to import certificate:
- Download the TXT file: https://letsencrypt.org/certs/isrgrootx1.pem.txt
- Remove .txt, download .pem file and upload on firewall under Manage | System Setup | Appliance | Certificate
- Reboot the firewall
If DPI-SSL is not in use, the issue is on the client itself and the browser's certificate store.
The following link provides some options under the "Clients (browsers etc)" section to force this rebinding and make the client work correctly https://docs.certifytheweb.com/docs/kb/kb-202109-letsencrypt/#switching-to-chain-2-legacy
ISSUE ID:
GEN6-3058
Related Articles
Categories
Was This Article Helpful?
YES
NO