Lets Encrypt - error 9814 - chain had an expired certs

Last modified on 13 Oct, 2021. Revision 15
This article explains about the required steps to install Lets Encrypt certificate into Clavister's NetWall firewall to overcome the issue caused by the expiry of Lets encrypt root certificate "DST Root CA X3" , that generate errors for OneConnect clients establishing SSL VPN tunnels to the NetWall.
Up to date for
cOS Core 13.00.09
OneConnect 2.02.00
Status OK
Author
Firas Aladhami


Problem Background

The currently recommended certificate chain as presented to Let’s Encrypt ACME clients when new certificates are issued contains an intermediate certificate (ISRG Root X1) that is signed by an old DST Root CA X3 certificate that expires on 2021-09-30. In some cases the OpenSSL 1.0.2 version will regard the certificates issued by the Let’s Encrypt CA as having an expired trust chain.

See more information about the currently issued trust chains at Let’s Encrypt.


In normal cases, Netwall users upload both the actual ‘end certificate’ and ‘root certificate’ to the NetWall firewall. In case the certificate were issued by Lets Encrypt, OneConnect client can show following error when trying to connect to the NetWall:

Solution

To overcome above certificate error message, follow the steps below:

Lets Encrypt certificate preparation

  1. Make sure that the issued certificate is using the alternate lets encrypt chain - "End-entity certificate ← R3 ← ISRG Root X1"
  2. Create a separate certificate files for all Lets Encrypt root, intermediate and actual certificate to be used by NetWall

NetWall configuration

  1. Under NetWall's "Objects" -> "Key Ring":
    1. Add 'Certificate' Object for actual Lets Encrypt certificate file (make sure to upload the private key as well)
    2. Add 'Certificate' Object for intermediate Lets Encrypt certificate file
    3. Add 'Certificate' Object for root Lets Encrypt certificate file
  2. Under NetWall's "Remote Management Settings" -> "Advance Settings":
    1. Select the actual certificate for the "HTTPS Certificate" setting
    2. Select and add both the intermediate and root certificates for the "HTTPS Root Certificates:" setting
    3. Save and Activate NetWall configuration

Related articles

https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/

https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/

Configure OneConnect V.3 for macOS, iOS and iPadOS towards NetWall
9 Aug, 2021 sslvpn openconnect oneconnect macos ios netwall
Configure the Android OpenConnect client towards Clavister NetWall
5 Mar, 2021 sslvpn openconnect oneconnect android core
Configure Clavister OneConnect 3 for Windows towards Clavister NetWall
7 Jul, 2021 sslvpn openconnect oneconnect windows
Configure Linux OpenConnect towards Clavister NetWall
5 Mar, 2021 sslvpn openconnect oneconnect linux core
Configuring SSL-VPN / OneConnect server on secondary Firewall IP address
8 Apr, 2021 core sslvpn oneconnect interfaces arp
OneConnect VPN certificate not trusted
12 Oct, 2021 oneconnect sslvpn
Configure the OpenConnect-GUI client towards Clavister NetWall
5 Mar, 2021 sslvpn openconnect oneconnect macos windows linux core