Dashboard doesn't trust Let's Encrypt? (Spoiler Alert: It does)

SOLVED
jdsilva
Kind of a big deal

Dashboard doesn't trust Let's Encrypt? (Spoiler Alert: It does)

So I got this email from Meraki yesterday:

 

image.png

 

And since I have a few testing code snippets that I use for Webhooks and the Scanning API I figured I should get my butt in gear and convert them to HTTPS.

 

I don't have my own public CA, and certs are expensive, so I thought I'd just use Let's Encrypt to get myself a free cert that I can tie into my test tools. But, after I got it all set up the Dashboard is failing when I try and use the "Validate" button for the Scanning API, or the "Send Test Webhook" button for webhooks. I have validated that my cert is installed correctly and working by pointing my browser and curl at my tools and they both work fine. 

 

I suspect that the Meraki Dashboard does not trust certificates from Let's Encrypt... So I've opened a case with support to ask the question, but while I wait I thought I'd throw the question out to the community to see if anyone has gone through this before and knows the answer ?

 

If Let's Encrypt not trusted hopefully I can convince Meraki to add them 🙂

1 ACCEPTED SOLUTION
PhilipDAth
Kind of a big deal
Kind of a big deal

Meraki should trust LetsEncrypt.  Their CA is dual signed by someone else who I can't remember as well, so it really should be trusted.

 

Maybe try using SSL tester to make sure it isn't something dumb like a weak hash for weak cipher is being used.

https://www.ssllabs.com/ssltest/

View solution in original post

7 REPLIES 7
SoCalRacer
Kind of a big deal

Very interested to see what the deal is with this. I have this on my list to convert scripts/webhooks.

PhilipDAth
Kind of a big deal
Kind of a big deal

Meraki should trust LetsEncrypt.  Their CA is dual signed by someone else who I can't remember as well, so it really should be trusted.

 

Maybe try using SSL tester to make sure it isn't something dumb like a weak hash for weak cipher is being used.

https://www.ssllabs.com/ssltest/

jdsilva
Kind of a big deal


@PhilipDAth wrote:

Meraki should trust LetsEncrypt.  Their CA is dual signed by someone else who I can't remember as well, so it really should be trusted.

 

Maybe try using SSL tester to make sure it isn't something dumb like a weak hash for weak cipher is being used.

https://www.ssllabs.com/ssltest/


Good idea. 

 

I'm using @DexterLaBora 's CMX Receiver script, not a full blown webserver but a python script using Flask to serve up HTTPS.

 

image.png

 

Also note that I can point Chrome at it and there's no problem at all.

 

I thought maybe it was that I was using a wildcard cert, but I just changed it to be one domain and same result from the dashboard. 

 

😞


@PhilipDAth wrote:

Meraki should trust LetsEncrypt.  Their CA is dual signed by someone else who I can't remember as well, so it really should be trusted.

 

Maybe try using SSL tester to make sure it isn't something dumb like a weak hash for weak cipher is being used.

https://www.ssllabs.com/ssltest/


From what I know of, Letsencrypt is trusted by all major Root CAs. So in principle it should be secure enough.

 

On the other hand, I remember to have read somewhere that many don't see Letsencrypt as a safe free encryption body any more, due to its ease in creating SSL certificates.

Before, you could trust that if someone uses HTTPS the website was regarded as safe/free of malicious software, because certificates weren't easy to get, and people trusted it. With Letsencrypt, it has become too easy for malicious entities to create websites, even using Letsencrypt.

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.
jdsilva
Kind of a big deal

Got it!

 

Thanks @PhilipDAth . Your suggestion pointed me in the right direction. 

 

image.png

 

I was just grabbing the cert.pem file that Let's Encrypt was giving me. I changed it to the fullchain.pem and now it's working. 

I don't agree @rhbirkelund.

 

A domain validated certificated is just that - domain validated only.  You can do this manually, or you can do it programatically (which Lets Encrypt does) - but it is that level of validation that establishes the security or safety of the system, and not weather a user proceses the request themselves via a website or a program does.

 

Probably the biggest plus with Lets Encrypt is that it only issues certificates for 3 months.  This is a huge step forward for security when a breach or theft occurrs, as it sets the maximum time scope.  It's like a password change policy.

The old human issues certificates can be issued for up to 2 years - 8 times longer.

jdsilva
Kind of a big deal

And just in case anyone else needs to do this, here's what I did.

 

http://blog.brokennetwork.ca/2019/05/lets-encrypt-for-meraki-webhooks-and.html

 

 

Get notified when there are additional replies to this discussion.