Let’s Encrypt: Unexpected certificate warnings

On Mai 2021, Let’s Encrypt issued a note about the expiration of their DST Root CA X3:
https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/

Now that this root certificate has expired (2021-09-30), your systems might issue a warning when connecting to sites using Let’s Encrypt certificates.

To fix this glitch on a general client, follow the instructions of the link above:

  • Ensure that the involved systems trust the ISRG Root X1 CA
  • If such systems depend on OpenSSL, ensure that they’re using at version 1.1.0 or later

FortiGate

Fortinet has released an informative blog article with background information about this issue and an outlook for a longer-term solution.

FortiGates are reportetly affected by this issue, if the policies are running in proxy-based mode with any kind of certificate inspection or flow-based mode with deep inspection.


Fortinet currently recommends the following workaround (reffered as DNS blackholing):
Make a backup. At the top right > click your profile > Config > backup

# Manually trigger a definitions update
execute update-now

# Verify that at least the Certificate Bundle 1.28 got installed
diagnose autoupdate versions | grep -A5 '^Cert'
Certificate Bundle
---------
Version: 1.00028

# Block access to apps.identrust.com by adding a DNS blackhole
config system dns-database
  edit 0
    set domain "identrust.com"
    set authoritative disable
    config dns-entry
      edit 0
        set hostname "apps"
        set ip 127.0.0.1
      next
    end
  next
end

# Note: Once apps.identrust.com stops sending the expired CA Certificate the above configuration can be removed.
# Note: By setting "set authoritative disable" other FQDNs like commercial.ocsp.identrust.com can still be resolved.


With DNS blackholing in place, you can revert any of the previous workarounds:

1. Use flow-based web filtering. Note: the firewall policy will need to be in flow-mode as well for this to work. This workaround will not work if deep inspection is on.

2. Alternatively in the SSL Inspection Profile > Invalid Certificate > «Custom» and Allow «Expired Certificate» in the interim. (This should be used with caution).

 116 total views,  2 views today

Schreiben Sie einen Kommentar

Ihre E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.