Lets Encrypt - error 9814 - chain had an expired certs
Last modified on 13 Oct, 2021. Revision 15Up to date for | cOS Core 13.00.09 OneConnect 2.02.00 |
Status | OK |
Author | Firas Aladhami |
Problem Background
The currently recommended certificate chain as presented to Let’s Encrypt ACME clients when new certificates are issued contains an intermediate certificate (ISRG Root X1) that is signed by an old DST Root CA X3 certificate that expires on 2021-09-30. In some cases the OpenSSL 1.0.2 version will regard the certificates issued by the Let’s Encrypt CA as having an expired trust chain.
See more information about the currently issued trust chains at Let’s Encrypt.
In normal cases, Netwall users upload both the actual ‘end certificate’ and ‘root certificate’ to the NetWall firewall. In case the certificate were issued by Lets Encrypt, OneConnect client can show following error when trying to connect to the NetWall:
Solution
To overcome above certificate error message, follow the steps below:
Lets Encrypt certificate preparation
- Make sure that the issued certificate is using the alternate lets encrypt chain - "End-entity certificate ← R3 ← ISRG Root X1"
- Create a separate certificate files for all Lets Encrypt root, intermediate and actual certificate to be used by NetWall
NetWall configuration
- Under NetWall's "Objects" -> "Key Ring":
- Add 'Certificate' Object for actual Lets Encrypt certificate file (make sure to upload the private key as well)
- Add 'Certificate' Object for intermediate Lets Encrypt certificate file
- Add 'Certificate' Object for root Lets Encrypt certificate file
- Under NetWall's "Remote Management Settings" -> "Advance Settings":
- Select the actual certificate for the "HTTPS Certificate" setting
- Select and add both the intermediate and root certificates for the "HTTPS Root Certificates:" setting
- Save and Activate NetWall configuration
Related articles
https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/
https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/
23 Nov, 2021 oneconnect macos ios windows
15 Feb, 2022 oneconnect openconnect sslvpn
19 Apr, 2022 oneconnect sase
29 Oct, 2021 sslvpn openconnect oneconnect macos ios netwall
5 Apr, 2022 core certificate oneconnect ipsec vpn
5 Mar, 2021 sslvpn openconnect oneconnect android core
29 Oct, 2021 sslvpn openconnect oneconnect windows
5 Mar, 2021 sslvpn openconnect oneconnect linux core
8 Apr, 2021 core sslvpn oneconnect interfaces arp
1 Dec, 2021 oneconnect sslvpn
25 Feb, 2022 oneconnect windows howto
10 Mar, 2021 core oneconnect
29 Jun, 2021 core oneconnect
5 Mar, 2021 sslvpn openconnect oneconnect macos windows linux core