Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

TZ 470 with SonicOS 7.0.1-5051 not displaying Let's Encrypt webite SSL certificate properly

We're having problems configuring our TZ470 to allow updates to SSL certificates on our public website/domain. Note: DPI-SSL is disabled. No systems in our current LAN can access our website without getting a falsely expired SSL alert. Some users can bypass the non-secure notification; others get an HSTS error with no other options.

I show an expiration date of 3/7/2021 on the SSL via Let's Encrypt, but outside users show a valid SSL. I tried importing the intermediary R3 CA Certificate to the SW mgmt portal + rebooting with no luck.

Any other suggestions? Thank you!


Category: Mid Range Firewalls
Reply

Answers

  • LarryLarry All-Knowing Sage ✭✭✭✭

    @awolvesf - that "public website/domain" exists where, exactly? Is it on a server within your control? If so, have you checked the Certificate store for the expired SSL cert?

  • awolvesfawolvesf Newbie ✭

    Hello @Larry - It is not on a server under our control. The domain name was purchased through a separate service outside of our network and we have an third party handle the website. They do not have access inside our domain either, and after some testing, we've concluded this must be a setting that isn't being properly configured on our primary SonicWall NSA/gateway.

  • TKWITSTKWITS Community Legend ✭✭✭✭✭

    If you enabled SSL Control look there... Or read the logs.

  • awolvesfawolvesf Newbie ✭

    @TKWITS Nope, SSL Control is disabled. I will check the logs.

  • TKWITSTKWITS Community Legend ✭✭✭✭✭

    Does the server pass SSL certificate checks? e.g. https://www.digicert.com/tools/

  • awolvesfawolvesf Newbie ✭

    @TKWITS It did, yes.

  • prestonpreston Enthusiast ✭✭

    Hi @awolvesf, did you also import the ISRG Root X1 Certificate in to the SonicWall not just the R3 one ? when the SMA appliances had a similar issue a few months ago when Lets' Encrypt changed their CA you needed to import both certificates for it to work

  • awolvesfawolvesf Newbie ✭

    Hi @preston - I did and rebooted the NSA.

    Now I have 2 ISRG root certificates on there, but I am unable to delete the built-in one.

  • AjishlalAjishlal All-Knowing Sage ✭✭✭✭

    @awolvesf

    Did you reboot your unit and did the test? I was also faced the same issue and support told me to reboot and check & after the reboot it's worked fine.

  • awolvesfawolvesf Newbie ✭

    This issue was resolved after adding both Let's Encrypt certificates and adding another DNS entry for the CORRECTED website IP address. Thanks everyone!

Sign In or Register to comment.