DPI-SSL not able to negotiate with websites using ISRG Root X1
10/14/2021 2 675
When trying to access websites that are using ISRG Root X1 as root certificate through client DPI-SSL, websites fail to load or sometimes browsers show a security warning.
This has been primarily seen with sites using Let's Encrypt as their CA however there have been a few cases using CloudFlare too.
Security warnings on https sites when certificate is resigned by SonicWall DPI SSL are caused due to failure in certificate chain or if any of the certificate in the chain is expired or if the root certificate is not available in the firewall repository.
Let's Encrypt saw one of its root certificates expired recently, however to correct the issue they obtained a cross-signature from ISRG Root X1 for its own certificate that’s valid for longer than the signing root. Because of this change some clients may need to update or install this new certificate. Refer: https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/
If Client DPI SSL is in use please follow below steps:
Verify if ISRG root X1 certificate is available in firewall repository by going to Manage | System Setup | Appliance | Certificate | select View style-All certificates
If certificate is available, check if it's expired.
If it's not expired, rebooting the firewall should fix the issue.
If certificate is not available or expired, please consider importing the Let's Encrypt root certificate and reboot the firewall.