What is this: ET INFO Observed Let's Encrypt Certificate from Active Intermediate, R3

mltiede · August 30, 2022, 11:03am

I have a Synology RT6600ax router and I got this event from Threat Prevention:

ET INFO Observed Let's Encrypt Certificate from Active Intermediate, R3

Signature rules:
drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Observed Let's Encrypt Certificate from Active Intermediate, R3"; flow:from_server,established; tls.cert_issuer; content:"R3"; fast_pattern; reference:url,Chain of Trust - Let's Encrypt; classtype:misc-activity; sid:4033240; rev:1; metadata:created_at 2022_02_14, deployment Perimeter, deployment SSLDecrypt, deprecation_reason Performance, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2022_02_14;)

This came from 146.75.77.181 into my PC.

Is this a problem at the source IP? What is the error message trying to say about Let's Encrypt cert and why?

Thanks for any help trying to understand these cryptic error messages as I'm a newbie with this router and Threat Prevention and Let's Encrypt.

Is there a reason to be worried about it from a security standpoint?

MikeMcQ · August 30, 2022, 1:41pm

Welcome @mltiede

That doesn't look like any kind of problem with your certificates. It looks like an INFO class warning. But, you'd be better asking this on a forum for that router or to the Synology router group.

mltiede · August 30, 2022, 2:55pm

Unfortunately, the Synology router group doesn't seem to know a lot about these either. Apparently the Threat Prevention stuff is just checking signatures from Proofpoint. So I was hoping someone here might be able to shed some light.

So that error message doesn't ring any bells as to what it is trying to communicate?

I'm a LOONG time programmer, but new to the router world and SUPER new to the Threat Prevention world.

Osiris · August 30, 2022, 3:31pm

I doubt that anyone here knows anything about it, it's the first time I've seen it.

That said, if nobody knows anything about it and it's just a warning with the above quotes reasons, I personally would just ignore it.

rg305 · August 30, 2022, 7:35pm

Are you using the latest RT6600ax firmware?
Are you using the latest Threat Prevention engine/signatures?

It sounds like it is detecting access to your internal system - that is using an LE cert.
But feels like that is somehow a performance issue.

mltiede · August 30, 2022, 8:04pm

Yes.
Yes.

Is that a normal thing? Detecting access to my system?

rg305 · August 30, 2022, 11:58pm

You need to ask in a Synology forum.
I'm only guessing at why it might be doing what it is doing.

system · September 29, 2022, 11:58pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.