-
Products
-
SonicPlatform
SonicPlatform is the cybersecurity platform purpose-built for MSPs, making managing complex security environments among multiple tenants easy and streamlined.
Discover More
-
-
Solutions
-
Federal
Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions
Learn MoreFederalProtect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions
Learn More - Industries
- Use Cases
-
-
Partners
-
Partner Portal
Access to deal registration, MDF, sales and marketing tools, training and more
Learn MorePartner PortalAccess to deal registration, MDF, sales and marketing tools, training and more
Learn More - SonicWall Partners
- Partner Resources
-
-
Support
-
Support Portal
Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials
Learn MoreSupport PortalFind answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials
Learn More - Support
- Resources
- Capture Labs
-
- Company
- Contact Us
DPI-SSL not able to negotiate with websites using ISRG Root X1
10/14/2021 
11 People found this article helpful
473,233 Views
Description
When trying to access websites that are using ISRG Root X1 as root certificate through client DPI-SSL, websites fail to load or sometimes browsers show a security warning.
This has been primarily seen with sites using Let's Encrypt as their CA however there have been a few cases using CloudFlare too.
Cause
Security warnings on https sites when certificate is resigned by SonicWall DPI SSL are caused due to failure in certificate chain or if any of the certificate in the chain is expired or if the root certificate is not available in the firewall repository.
Let's Encrypt saw one of its root certificates expired recently, however to correct the issue they obtained a cross-signature from ISRG Root X1 for its own certificate that’s valid for longer than the signing root. Because of this change some clients may need to update or install this new certificate.
Refer: https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/
Resolution
If Client DPI SSL is in use please follow below steps:
- Verify if ISRG root X1 certificate is available in firewall repository by going to Manage | System Setup | Appliance | Certificate | select View style-All certificates
- If certificate is available, check if it's expired.
- If it's not expired, rebooting the firewall should fix the issue.
- If certificate is not available or expired, please consider importing the Let's Encrypt root certificate and reboot the firewall.
Follow below steps to import certificate:
- Download the TXT file: https://letsencrypt.org/certs/isrgrootx1.pem.txt
- Remove .txt, download .pem file and upload on firewall under Manage | System Setup | Appliance | Certificate
- Reboot the firewall
If DPI-SSL is not in use, the issue is on the client itself and the browser's certificate store.
The following link provides some options under the "Clients (browsers etc)" section to force this rebinding and make the client work correctly https://docs.certifytheweb.com/docs/kb/kb-202109-letsencrypt/#switching-to-chain-2-legacy
ISSUE ID:
GEN6-3058
Related Articles
- How to Block Google QUIC Protocol on SonicOSX 7.0?
- How to block certain Keywords on SonicOSX 7.0?
- How internal Interfaces can obtain Global IPv6 Addresses using DHCPv6 Prefix Delegation
Categories
- Firewalls > TZ Series > DPI-SSL
- Firewalls > NSa Series > Client/Server DPI-SSL
- Firewalls > NSsp Series > Client/Server DPI-SSL
- Firewalls > SonicWall SuperMassive 9000 Series
YES
NO