Problem is solved, here is a summary:
- web sites using Letsencrypt most always deliver a certificate chain of 3 certificates:
1. the Letsencrypt cert, valid max 3 months, signed by R3 Intermediate CA
2. R3 cert, signed by ISRG X1 root CA
3. ISRG X1 root CA self-signed cert
As Letsencrypt states, this is due to Android having problems with the certs otherwise. See https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/ for details. As they state, this certificate chain however does not get validated correctly by OpenSSL 1.0.x and lower.
JUNOS 20.x uses OpenSSL v1.0.2u as you can easily verify calling openssl and version from a command shell. This is exactly the reason why Proxy SSL cert validation fails.
I had to upgrade to JUNOS 21.x which incorporates OpenSSL 1.1.x to avoid this misbehavior. No other means necessary.
I wonder why this did not get remarked by someone else before, as Letsencrypt certs are really common now.
------------------------------
CARSTEN
------------------------------
Original Message:
Sent: 12-02-2022 21:55
From: Jamie Graham
Subject: Juniper SSL Proxy with servers using letsenrypt
Next step would be to see SSL_PROXY errors in the log files. If you're logging to external syslog server, grep SSL or SSL_PROXY if recall. If not, then you will need to enable tracing for SSL_PROXY and view errors. Once you see what's happening, I would then enable/disable SSL_PROXY different features in your configuration.
SSL Proxy Logs | Junos OS | Juniper Networks
ssl (Services) | Junos OS | Juniper Networks
------------------------------
Jamie Graham
Original Message:
Sent: 11-30-2022 09:13
From: CARSTEN GRAMMES
Subject: Juniper SSL Proxy with servers using letsenrypt
I have a setup using ssl proxy. It works fine so far, https traffic gets analyzed, Juniper signs the content with its own certificate. With one exception however: All sites using Letsencrypt certificates lead to a SSL-PROXY:DUMMY_CERT:GENERATED DUE TO SRVR AUTH FAILURE error. Other sites work fine.
I have both the R3 intermediate certificate (until Mon, 15 Sep 2025 16:00:00 GMT) and the IWSG X1 certificate (until Mon, 04 Jun 2035 11:04:38 GMT) installed as ca-profiles (trusted-ca all). So the Let's encrypt certificates should be verifiable.
Any idea?
------------------------------
CARSTEN GRAMMES
------------------------------