Lets Encrypt - error 9814 - chain had an expired certs

Last modified on 13 Oct, 2021. Revision 15
This article explains about the required steps to install Lets Encrypt certificate into Clavister's NetWall firewall to overcome the issue caused by the expiry of Lets encrypt root certificate "DST Root CA X3" , that generate errors for OneConnect clients establishing SSL VPN tunnels to the NetWall.
Up to date for
cOS Core 13.00.09
OneConnect 2.02.00
Status OK
Author
Firas Aladhami


Problem Background

The currently recommended certificate chain as presented to Let’s Encrypt ACME clients when new certificates are issued contains an intermediate certificate (ISRG Root X1) that is signed by an old DST Root CA X3 certificate that expires on 2021-09-30. In some cases the OpenSSL 1.0.2 version will regard the certificates issued by the Let’s Encrypt CA as having an expired trust chain.

See more information about the currently issued trust chains at Let’s Encrypt.


In normal cases, Netwall users upload both the actual ‘end certificate’ and ‘root certificate’ to the NetWall firewall. In case the certificate were issued by Lets Encrypt, OneConnect client can show following error when trying to connect to the NetWall:

Solution

To overcome above certificate error message, follow the steps below:

Lets Encrypt certificate preparation

  1. Make sure that the issued certificate is using the alternate lets encrypt chain - "End-entity certificate ← R3 ← ISRG Root X1"
  2. Create a separate certificate files for all Lets Encrypt root, intermediate and actual certificate to be used by NetWall

NetWall configuration

  1. Under NetWall's "Objects" -> "Key Ring":
    1. Add 'Certificate' Object for actual Lets Encrypt certificate file (make sure to upload the private key as well)
    2. Add 'Certificate' Object for intermediate Lets Encrypt certificate file
    3. Add 'Certificate' Object for root Lets Encrypt certificate file
  2. Under NetWall's "Remote Management Settings" -> "Advance Settings":
    1. Select the actual certificate for the "HTTPS Certificate" setting
    2. Select and add both the intermediate and root certificates for the "HTTPS Root Certificates:" setting
    3. Save and Activate NetWall configuration

Related articles

https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/

https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/

Configure Clavister OneConnect using deep links
13 Jun, 2022 oneconnect macos ios windows android
Configure Clavister OneConnect for macOS, iOS and iPadOS towards NetWall
29 Oct, 2021 sslvpn openconnect oneconnect macos ios netwall
Configuring public certificates in NetWall firewalls
23 Aug, 2022 core certificate oneconnect ipsec vpn
Configure the Android OpenConnect client towards Clavister NetWall
23 Aug, 2022 sslvpn openconnect oneconnect android core
Configure Clavister OneConnect for Windows towards Clavister NetWall
29 Oct, 2021 sslvpn openconnect oneconnect windows
Configure Linux OpenConnect towards Clavister NetWall
5 Mar, 2021 sslvpn openconnect oneconnect linux core
Configuring SSL-VPN / OneConnect server on secondary Firewall IP address
8 Apr, 2021 core sslvpn oneconnect interfaces arp
OneConnect VPN certificate not trusted
22 Aug, 2022 onetouch sslvpn oneconnect
Install OneConnect without Microsoft store
25 Feb, 2022 oneconnect windows howto
Clavister OneConnect server using cOS Core as CA Server
14 Sep, 2022 oneconnect certificate howto
Configure the OpenConnect-GUI client towards Clavister NetWall
23 Aug, 2022 sslvpn openconnect oneconnect macos windows linux core