Incomplete Certificate Chain (YE2 Intermediate CA) on Sophos Firewall Let's Encrypt Certificates

Hello everyone,

Yesterday I came across a discussion regarding pfSense, and it appears that the same issue may also affect Sophos Firewalls using the Let's Encrypt module.

Using the WAF, which is leveraged by the Let's Encrypt engine for SSL certificate issuance, I am able to successfully request and deploy certificates. The certificates appear to work correctly in web browsers and on iOS devices without any issues.

However, Android devices as well as the Qualys SSL Labs test report that the certificate chain is incomplete. In my case, the missing or incomplete intermediate CA seems to be YE2 .

Has anyone experienced the same issue, and what is the recommended way to properly include the required intermediate CA in the certificate chain so that Android devices and SSL validation tools no longer report an incomplete chain?

Thank you in advance for your help.

You might be better served by Sophos' support, from a quick look it appears that there's already a work around until the next update.

https://community.sophos.com/sophos-xg-firewall/f/discussions/151226/sophos-xg---let-s-encrypt-chain-is-incomplete

Max's link looks like the right track. The symptom also fits a server sending only the leaf cert (or the wrong chain) while browsers fill in the missing intermediate from cache/AIA, but Android and SSL Labs do not. If Sophos lets you inspect the deployed bundle, check that it is using the fullchain/certificate-chain output, not just the issued certificate; otherwise the Sophos workaround/support path is probably the safest fix.