Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

CA certificates being rejected in error? (If so, how to report.)

We're having issues with some Ring Central pages being blocked. You'll see an error like:

But the certificate details look reasonable to me. In the SGX I find:

The certificate in the block message looks the same as the second certificate to me, though the version on the XGS has "GoDaddy.com, Inc." instead of "GoDaddy.com Inc.". I may be misunderstanding this though.



This thread was automatically locked due to age.
  • This one seems odd to me. support.ringcentral.com use a different cert than success.ringcentral.com. 

    Success has a digicert, which seems to be invalid. (see bitmask)

    The support works on TLS1.3 and has a valid chain:

    And the problem is: If you access "success.ringcentral.com" it will forward you to "support.ringcentral.com".

    I assume, they simply forget to replace the certificate on the success. 

    Try support.ringcentral.com, this one should work. You could create a ticket and explain this to the vendor of the website. 

    Looking at the Cert, they use for success: 

    You can also import the CA of the GoDaddy Website, which includes all CAs. 

    https://certs.godaddy.com/repository/

    https://certs.godaddy.com/repository/gd_bundle-g2.crt

    And import them as a validation CA. This will fix this for you. 

    Seems like they use a CA, which is not publicly known to everybody. Sophos XG is not automatically importing each and every CA of every vendor. 

    __________________________________________________________________________________________________________________

  • Thanks for the explanation. I generally chalk up such errors to mistakes by the company that's running the website, but Ring Central is pretty large and I'm getting this error on their sites in multiple countries (US, UK, etc) so it wasn't as clear that it was them. I'll report it to them.