So the problem is likely something on the Sophos side. Is this a web UI? Can you check the developer console? If it’s trying to load the subscriber agreement from inside the browser, we may get a more informative error in the network tab there.
If it’s trying to load the document from the SG itself, then it’s probably a network connectivity problem on the SG, which I think you’ll need to find somewhere more Sophos specific for help.
First check that you have applied the pattern update which removes the expired DST Root CA X3 and applies the correct ISRG Root X1. To do this, proceed as follows:
Open the WebAdmin of the UTM. 1.
navigate to Web Protection -> Filter Options -> "HTTPS CAs" tab
check that the following entries are included under "Global Verification CAs":
Internet Security Research Group ISRG Root X1
Internet Security Research Group ISRG Root X2
If the entries are present, you have already applied the pattern update. 4.
If the pattern update has not yet been applied, navigate to Administration -> Up2Date -> "Overview" tab.
you should be offered to update now under "Patterns". It is recommended to set the "Interval for pattern download and installation" in the "Configuration" tab not to manual, but to an automatic time interval, unless there is a valid reason not to install the pattern updates automatically
After checking for the pattern update, you must now check whether there are any old root certificates from Let's Encrypt remaining in the certificate management. To do this, proceed as follows:
navigate to Webserver Protection -> Certificate Management -> tab "CA".
remove all CA certificates whose expiration date has passed.
Check for certificates with the following fingerprint and remove them:
Nothing buggy about this. This error happens with clients that use the old OpenSSL logic, which tend to mostly be on embedded devices and outdated Linux servers. A similar fix is needed for OSX 10.11-10.15 and some windows versions.
The weird thing about this, to me, is that I believe 93:::: is the fingerprint for the old cross-signed ISRG root - the version that expired the same day as the DST root. That should not have been in the trust store to start with. Usually you delete the old DST root.
I don’t know how/why that cert was in the trust store - but since this is a Sophos device, I assume they are using explicit chains and not allowing short circuit logic on purpose.
No. It's the SHA-1 fingerprint. 6th row, far right column:
The fingerprint is calculated on the DER encoding of the whole certificate, so each re-issue/signing is essentially guaranteed a unique value as there is some unique data in each cert such as the precertificate info. The "hash" is computed differently (usually SPKI) and can be repeated across certificates.