Meraki

Community

Dashboard doesn't trust Let's Encrypt? (Spoiler Alert: It does)

Solved
jdsilva
Kind of a big deal
‎May 23 2019 10:39 AM
‎May 23 2019 10:39 AM

Dashboard doesn't trust Let's Encrypt? (Spoiler Alert: It does)

So I got this email from Meraki yesterday:

 

image.png

 

And since I have a few testing code snippets that I use for Webhooks and the Scanning API I figured I should get my butt in gear and convert them to HTTPS.

 

I don't have my own public CA, and certs are expensive, so I thought I'd just use Let's Encrypt to get myself a free cert that I can tie into my test tools. But, after I got it all set up the Dashboard is failing when I try and use the "Validate" button for the Scanning API, or the "Send Test Webhook" button for webhooks. I have validated that my cert is installed correctly and working by pointing my browser and curl at my tools and they both work fine. 

 

I suspect that the Meraki Dashboard does not trust certificates from Let's Encrypt... So I've opened a case with support to ask the question, but while I wait I thought I'd throw the question out to the community to see if anyone has gone through this before and knows the answer ?

 

If Let's Encrypt not trusted hopefully I can convince Meraki to add them 🙂

http://blog.brokennetwork.ca | @jdsilva
Labels:
0 Kudos
1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal
‎May 23 2019 12:56 PM
‎May 23 2019 12:56 PM

Meraki should trust LetsEncrypt.  Their CA is dual signed by someone else who I can't remember as well, so it really should be trusted.

 

Maybe try using SSL tester to make sure it isn't something dumb like a weak hash for weak cipher is being used.

https://www.ssllabs.com/ssltest/

View solution in original post

7 Replies 7
SoCalRacer
Kind of a big deal
‎May 23 2019 12:15 PM
‎May 23 2019 12:15 PM

Very interested to see what the deal is with this. I have this on my list to convert scripts/webhooks.

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎May 23 2019 12:56 PM
‎May 23 2019 12:56 PM

Meraki should trust LetsEncrypt.  Their CA is dual signed by someone else who I can't remember as well, so it really should be trusted.

 

Maybe try using SSL tester to make sure it isn't something dumb like a weak hash for weak cipher is being used.

https://www.ssllabs.com/ssltest/

In response to PhilipDAth
jdsilva
Kind of a big deal
‎May 23 2019 1:12 PM
‎May 23 2019 1:12 PM

@PhilipDAth wrote:

Meraki should trust LetsEncrypt.  Their CA is dual signed by someone else who I can't remember as well, so it really should be trusted.

 

Maybe try using SSL tester to make sure it isn't something dumb like a weak hash for weak cipher is being used.

https://www.ssllabs.com/ssltest/

Good idea. 

 

I'm using @DexterLaBora 's CMX Receiver script, not a full blown webserver but a python script using Flask to serve up HTTPS.

 

image.png

 

Also note that I can point Chrome at it and there's no problem at all.

 

I thought maybe it was that I was using a wildcard cert, but I just changed it to be one domain and same result from the dashboard. 

 

😞

http://blog.brokennetwork.ca | @jdsilva
0 Kudos
In response to PhilipDAth
rhbirkelund
Kind of a big deal
Kind of a big deal
‎May 23 2019 1:14 PM
‎May 23 2019 1:14 PM

@PhilipDAth wrote:

Meraki should trust LetsEncrypt.  Their CA is dual signed by someone else who I can't remember as well, so it really should be trusted.

 

Maybe try using SSL tester to make sure it isn't something dumb like a weak hash for weak cipher is being used.

https://www.ssllabs.com/ssltest/

From what I know of, Letsencrypt is trusted by all major Root CAs. So in principle it should be secure enough.

 

On the other hand, I remember to have read somewhere that many don't see Letsencrypt as a safe free encryption body any more, due to its ease in creating SSL certificates.

Before, you could trust that if someone uses HTTPS the website was regarded as safe/free of malicious software, because certificates weren't easy to get, and people trusted it. With Letsencrypt, it has become too easy for malicious entities to create websites, even using Letsencrypt.

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.
0 Kudos
In response to rhbirkelund
jdsilva
Kind of a big deal
‎May 23 2019 1:20 PM
‎May 23 2019 1:20 PM

Got it!

 

Thanks @PhilipDAth . Your suggestion pointed me in the right direction. 

 

image.png

 

I was just grabbing the cert.pem file that Let's Encrypt was giving me. I changed it to the fullchain.pem and now it's working. 

http://blog.brokennetwork.ca | @jdsilva
0 Kudos
In response to rhbirkelund
PhilipDAth
Kind of a big deal
Kind of a big deal
‎May 23 2019 1:20 PM
‎May 23 2019 1:20 PM

I don't agree @rhbirkelund.

 

A domain validated certificated is just that - domain validated only.  You can do this manually, or you can do it programatically (which Lets Encrypt does) - but it is that level of validation that establishes the security or safety of the system, and not weather a user proceses the request themselves via a website or a program does.

 

Probably the biggest plus with Lets Encrypt is that it only issues certificates for 3 months.  This is a huge step forward for security when a breach or theft occurrs, as it sets the maximum time scope.  It's like a password change policy.

The old human issues certificates can be issued for up to 2 years - 8 times longer.

0 Kudos
In response to PhilipDAth
jdsilva
Kind of a big deal
‎May 24 2019 11:55 AM
‎May 24 2019 11:55 AM

And just in case anyone else needs to do this, here's what I did.

 

http://blog.brokennetwork.ca/2019/05/lets-encrypt-for-meraki-webhooks-and.html

 

 

http://blog.brokennetwork.ca | @jdsilva
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
© 2024 Cisco Systems, Inc.