Websites that are signed by Sectigo root CA may fail to connect and a certificate validation failed due to certificate AddTrust External CA Root expired on May 30th 2020.
An issue occurs because OpenSSL checks the certificate chain path which leads to an expired 'AddTrust External CA'. Hence, you may observe sites that are signed by Sectigo root CA may fail to connect and a certificate validation failed message displayed to the end-user.
If you have a site that has an expired certificate and is processed by the Sophos UTM web proxy, it would block the website by default.
Here is an example of the packet capture when the remote server would present the CA certificate that has expired.
If the certificate that has expired is presented to the Sophos UTM web proxy, it would check for validation of the certificate and would determine if it is valid or not. In this case, it would be blocked by default.
You may also observe such indication in the HTTP.log: "url="https://example.com/" referer="" error="Failed to verify server certificate""
"url="https://example.com/" referer="" error="Failed to verify server certificate""
The following sections are covered:
Applies to the following Sophos products and versions Sophos UTM
Users trying to go to sites with these expired certificates will be blocked by certificate validation.
Issue has been fixed with a cadata pattern update as of 2020-06-05
On the UTM, the expired certificate "AddTrust External CA Root" can be disabled. This will cause the certificate check to check against the good certificate. The following image shows the certificate and it is disabled.
Once the certificate is disabled, you will need to switch off the proxy and then switch it back on. This can be done in Web Protection > Web Filtering > Global tab.
This article will be updated when any new information becomes available.
Sign up to the Sophos Support SMS Notification Service to get the latest product release information and critical issues.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.