Websites that are signed by Sectigo root CA may fail to connect and a certificate validation failed due to certificate AddTrust External CA Root expired on 30 May 2020.
An issue occurs because OpenSSL checks the certificate chain path which leads to an expired AddTrust External CA. Hence, you may observe sites that are signed by Sectigo root CA may fail to connect and a certificate validation failed message displayed to the end-user.
If you have a site that has an expired certificate and is processed by the Sophos Web Appliance, it would block the website by certificate verification.
Here is an example of the packet capture when the remote server would present the CA certificate which is expired.
If the certificate which is expired is presented to the Sophos Web Appliance, it would check for validation of the certificate and would determine if it is valid or not. The users would see the following error message:
The following sections are covered:
Applies to the following Sophos products and versions Sophos Web Appliance
Users trying to go to sites with these expired certificates will be blocked by certificate validation.
Fixed in release SWA 184.108.40.206 Current status GA
Please upgrade to version 220.127.116.11
If issue is still occurring please check certificates on certificate verification for any AddTrust External CA or UserTrust CA's and remove.
Then clear certificate cache found under Global Policy -> Generate
Once cache is cleared reboot the web appliance
If issue still occurs after this please contact Sophos Technical Support
This article will be updated when any new information becomes available.
Sign up to the Sophos Support SMS Notification Service to get the latest product release information and critical issues.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.