cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Dashboard doesn't trust Let's Encrypt? (Spoiler Alert: It does)

SOLVED
Kind of a big deal

Dashboard doesn't trust Let's Encrypt? (Spoiler Alert: It does)

So I got this email from Meraki yesterday:

 

image.png

 

And since I have a few testing code snippets that I use for Webhooks and the Scanning API I figured I should get my butt in gear and convert them to HTTPS.

 

I don't have my own public CA, and certs are expensive, so I thought I'd just use Let's Encrypt to get myself a free cert that I can tie into my test tools. But, after I got it all set up the Dashboard is failing when I try and use the "Validate" button for the Scanning API, or the "Send Test Webhook" button for webhooks. I have validated that my cert is installed correctly and working by pointing my browser and curl at my tools and they both work fine. 

 

I suspect that the Meraki Dashboard does not trust certificates from Let's Encrypt... So I've opened a case with support to ask the question, but while I wait I thought I'd throw the question out to the community to see if anyone has gone through this before and knows the answer ?

 

If Let's Encrypt not trusted hopefully I can convince Meraki to add them 🙂

1 ACCEPTED SOLUTION

Accepted Solutions
Kind of a big deal

Re: Dashboard doesn't trust Let's Encrypt?

Meraki should trust LetsEncrypt.  Their CA is dual signed by someone else who I can't remember as well, so it really should be trusted.

 

Maybe try using SSL tester to make sure it isn't something dumb like a weak hash for weak cipher is being used.

https://www.ssllabs.com/ssltest/

7 REPLIES 7
Head in the Cloud

Re: Dashboard doesn't trust Let's Encrypt?

Very interested to see what the deal is with this. I have this on my list to convert scripts/webhooks.

Kind of a big deal

Re: Dashboard doesn't trust Let's Encrypt?

Meraki should trust LetsEncrypt.  Their CA is dual signed by someone else who I can't remember as well, so it really should be trusted.

 

Maybe try using SSL tester to make sure it isn't something dumb like a weak hash for weak cipher is being used.

https://www.ssllabs.com/ssltest/

Kind of a big deal

Re: Dashboard doesn't trust Let's Encrypt?


@PhilipDAth wrote:

Meraki should trust LetsEncrypt.  Their CA is dual signed by someone else who I can't remember as well, so it really should be trusted.

 

Maybe try using SSL tester to make sure it isn't something dumb like a weak hash for weak cipher is being used.

https://www.ssllabs.com/ssltest/


Good idea. 

 

I'm using @DexterLaBora 's CMX Receiver script, not a full blown webserver but a python script using Flask to serve up HTTPS.

 

image.png

 

Also note that I can point Chrome at it and there's no problem at all.

 

I thought maybe it was that I was using a wildcard cert, but I just changed it to be one domain and same result from the dashboard. 

 

😞

Highlighted
Building a reputation

Re: Dashboard doesn't trust Let's Encrypt?


@PhilipDAth wrote:

Meraki should trust LetsEncrypt.  Their CA is dual signed by someone else who I can't remember as well, so it really should be trusted.

 

Maybe try using SSL tester to make sure it isn't something dumb like a weak hash for weak cipher is being used.

https://www.ssllabs.com/ssltest/


From what I know of, Letsencrypt is trusted by all major Root CAs. So in principle it should be secure enough.

 

On the other hand, I remember to have read somewhere that many don't see Letsencrypt as a safe free encryption body any more, due to its ease in creating SSL certificates.

Before, you could trust that if someone uses HTTPS the website was regarded as safe/free of malicious software, because certificates weren't easy to get, and people trusted it. With Letsencrypt, it has become too easy for malicious entities to create websites, even using Letsencrypt.

Kind of a big deal

Re: Dashboard doesn't trust Let's Encrypt?

Got it!

 

Thanks @PhilipDAth . Your suggestion pointed me in the right direction. 

 

image.png

 

I was just grabbing the cert.pem file that Let's Encrypt was giving me. I changed it to the fullchain.pem and now it's working. 

Kind of a big deal

Re: Dashboard doesn't trust Let's Encrypt?

I don't agree @rbnielsen.

 

A domain validated certificated is just that - domain validated only.  You can do this manually, or you can do it programatically (which Lets Encrypt does) - but it is that level of validation that establishes the security or safety of the system, and not weather a user proceses the request themselves via a website or a program does.

 

Probably the biggest plus with Lets Encrypt is that it only issues certificates for 3 months.  This is a huge step forward for security when a breach or theft occurrs, as it sets the maximum time scope.  It's like a password change policy.

The old human issues certificates can be issued for up to 2 years - 8 times longer.

Kind of a big deal

Re: Dashboard doesn't trust Let's Encrypt?

And just in case anyone else needs to do this, here's what I did.

 

http://blog.brokennetwork.ca/2019/05/lets-encrypt-for-meraki-webhooks-and.html

 

 

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.