I REALLY know very little about certificates. I got one to use with my Synology router and NAS. It all works fine.
However, my router Threat Prevention complains about a web site that has Certificate from Active Intermediate, R3. I seem to remember that R3 was supposed to no longer be valid and people should have updated/reissued their certificates. Is that correct? Or is any R3 certificate still valid?
Yes R3 is still valid, however DST Root CA X3 is expired.
See Chain of Trust - Let's Encrypt
Can you show (a picture of) the complaint?
Is the router firmware/software up-to-date?
I had already seen that chain of trust diagram, but wasn't sure how to interpret it.
I'm guessing this event "ET INFO Observed Let's Encrypt Certificate from Active Intermediate, R3" was maybe just meant to alert people to the fact that the R3 was used and maybe they needed to refresh to get new root? (if that makes any sense)
Yes, router is up-to-date. (I've xxed out the local IP in this detail information)
Source IP: 146.75.29.130
drop tls [$EXTERNAL_NET,![34.223.206.28]] any -> [$HOME_NET,![xxx.xxx.xxx.xxx]] any (msg:"ET INFO Observed Let's Encrypt Certificate from Active Intermediate, R3"; flow:from_server,established; tls.cert_issuer; content:"R3"; fast_pattern; reference:url,Chain of Trust - Let's Encrypt; classtype:misc-activity; sid:4083212; rev:1; metadata:created_at 2022_02_14, deployment Perimeter, deployment SSLDecrypt, deprecation_reason Performance, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2022_02_14;)
I don't understand why the source ip is for 146.75.29.130 is for "Fastly" and the detail references 34.223.206.28 which is an amazon ip. But then, a lot of this stuff is still a mystery to me 
This looks like the same problem you asked about in August. This didn't look like a Let's Encrypt problem then and still doesn't today.
Yep, basically same concern, but I since found stuff on the web that mentioned that something about it was already expired so I was trying to find out more about that. And I guess it sounds like the "Root" changed and not the R3. And I also said in this message that it was probably just something to alert people to the change (partially based on your previous reply in the previous thread). Was hoping to get some additional explanations and basically got it. But anyone has anything else to help explain it, I'm all ears. Trying to learn this stuff. The topic from before was automatically closed, so I couldn't just add the additional questions there.
I didn't think it was a Let's Encrypt problem. Just trying to understand more.
Also, what happens if some website I visit still has the R3 that is based on the expired root? Is that a bad thing? Should I inform the website? Do you think the browser would reject it?
There was an old R3 that expired more than a year ago. If someone is still using that their server and cert config is horribly wrong.
That error looks like an inbound request because of the -> to your local IP and presumably the Source IP is not yours.
I don't know why any cert would be identified on such a request unless you are using client auth in your server. But, a router doing inbound checking wouldn't know that.
The message looks poorly constructed and without docs or further info from the device provider there is little we can say.
Yes, if you are getting errors in your browser about an invalid cert you should inform that website's support.
I wouldn't approach them based on messages you see in your router until you understand what they mean. They won't know what to do any more than we can.
I agree the message is poorly constructed. I can't get anything out of the device provider. They said it was up to me to figure it out. My guess is they just threw Suricata into a UI for their router as an added feature, which I have to admit, I DO like the information that it can provide as well as block. But the information is very minimalistic. So it is hard for me to decipher. Hence my coming here to see what I could find out about R3.
I presume by "server" you mean a web server. I don't have one of those. I assume SOMETHING I did on the PC made a request and that return traffic came back and it complained. But I don't know what I did at around the time the event was logged. And I don't know what I did that referenced Fastly. It might even have just been something like windows OS or the windows store that was trying to update something.
I don't think I got any browser error. But I know that sometimes something that I am trying to do on the web will just keep showing the busy indicator and then stop and say it can't access the web page. That is when I go to the events and try to see if there was a legitimate reason to block it, or if I have the rules too tight. I'd rather have the rules too tight and have it break something than have it too loose and let something dangerous in.
So yeah, I'm trying to figure out what the messages mean so that I can communicate about it better, hence my coming on here and asking about the R3 event. The lack of documentation on this router Threat Prevention stuff is really disappointing. If I search for the event message, I usually end up at the suricata rules and it is just in the middle of a bunch of rules. No explanations. No examples. No description of actions to take, etc.
Thanks for the info you provided.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.