We'd love to hear about it! Click here to go to the product suggestion community
the XG has suddenly decided that as valid certificate has expired.
I will create an exception for this site and hopefully someone can explain why this is happening?
I now have a second site with the same issue. The second site's certificate expires in Sept 2020.
I would suspect the the XG has a date validation issue, the issue started just after midnight my time (EAST).
Both sites are European, whereas the US, Australia I don't have an issue with.
In reply to rfcat_vk:
Seems to be releated to the expired root certificate of USERtrust https://support.sectigo.com/articles/Knowledge/Sectigo-AddTrust-External-CA-Root-Expiring-May-30-2020 and the alternative verification path.
In reply to AndreasBeutel:
thank you for that investigation and update.
you could just remove the expired AddTrust-Root from Certificates → Certificate Authorities and all cross-signed certificates should work as expected.
thank you, issue resolved.
Hi guys, started to investigate this as well this morning, but with startpage.com. All the suggestions here solved the issue.
In reply to Martin Hampl:
ok it works but now the question is: Why Sophos XG doesn't support USERTRust?
A legacy browser or older device that does not have the modern “USERTRust” root would not trust it and so would look further up the chain to a root it does trust, the AddTrust External CA Root. A more modern browser would have the USERTrust root already installed and trust itwithout needing to rely on the older AddTrust root.
In reply to MassimoDalla Giustina:
IMHO it‘s not »Sophos not supporting UserTrust« but more a thing of older versions of OpenSSL not doing the multipath check correctly. Also GnuTLS has a bug which has been fixed some days ago. So this problem occurs more or less due to »broken« SSL libraries...