TZ 470 with SonicOS 7.0.1-5051 not displaying Let's Encrypt webite SSL certificate properly
awolvesf
Newbie ✭
We're having problems configuring our TZ470 to allow updates to SSL certificates on our public website/domain. Note: DPI-SSL is disabled. No systems in our current LAN can access our website without getting a falsely expired SSL alert. Some users can bypass the non-secure notification; others get an HSTS error with no other options.
I show an expiration date of 3/7/2021 on the SSL via Let's Encrypt, but outside users show a valid SSL. I tried importing the intermediary R3 CA Certificate to the SW mgmt portal + rebooting with no luck.
Any other suggestions? Thank you!
Category: Mid Range Firewalls
Tagged:
0
Answers
@awolvesf - that "public website/domain" exists where, exactly? Is it on a server within your control? If so, have you checked the Certificate store for the expired SSL cert?
Hello @Larry - It is not on a server under our control. The domain name was purchased through a separate service outside of our network and we have an third party handle the website. They do not have access inside our domain either, and after some testing, we've concluded this must be a setting that isn't being properly configured on our primary SonicWall NSA/gateway.
If you enabled SSL Control look there... Or read the logs.
@TKWITS Nope, SSL Control is disabled. I will check the logs.
Does the server pass SSL certificate checks? e.g. https://www.digicert.com/tools/
@TKWITS It did, yes.
Hi @awolvesf, did you also import the ISRG Root X1 Certificate in to the SonicWall not just the R3 one ? when the SMA appliances had a similar issue a few months ago when Lets' Encrypt changed their CA you needed to import both certificates for it to work
Hi @preston - I did and rebooted the NSA.
Now I have 2 ISRG root certificates on there, but I am unable to delete the built-in one.
@awolvesf
Did you reboot your unit and did the test? I was also faced the same issue and support told me to reboot and check & after the reboot it's worked fine.
This issue was resolved after adding both Let's Encrypt certificates and adding another DNS entry for the CORRECTED website IP address. Thanks everyone!