Problem Background

The currently recommended certificate chain as presented to Let’s Encrypt ACME clients when new certificates are issued contains an intermediate certificate (ISRG Root X1) that is signed by an old DST Root CA X3 certificate that expires on 2021-09-30. In some cases the OpenSSL 1.0.2 version will regard the certificates issued by the Let’s Encrypt CA as having an expired trust chain.

See more information about the currently issued trust chains at Let’s Encrypt.

In normal cases, Netwall users upload both the actual ‘end certificate’ and ‘root certificate’ to the NetWall firewall. In case the certificate were issued by Lets Encrypt, OneConnect client can show following error when trying to connect to the NetWall:

Solution

To overcome above certificate error message, follow the steps below:

Lets Encrypt certificate preparation

1. Make sure that the issued certificate is using the alternate lets encrypt chain - "End-entity certificate ← R3 ← ISRG Root X1"
2. Create a separate certificate files for all Lets Encrypt root, intermediate and actual certificate to be used by NetWall

NetWall configuration

1. Under NetWall's "Objects" -> "Key Ring":
   1. Add 'Certificate' Object for actual Lets Encrypt certificate file (make sure to upload the private key as well)
   2. Add 'Certificate' Object for intermediate Lets Encrypt certificate file
   3. Add 'Certificate' Object for root Lets Encrypt certificate file
2. Under NetWall's "Remote Management Settings" -> "Advance Settings":
   1. Select the actual certificate for the "HTTPS Certificate" setting
   2. Select and add both the intermediate and root certificates for the "HTTPS Root Certificates:" setting
   3. Save and Activate NetWall configuration

Related articles

https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/

https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/