HTTPS decryption: Some users cannot browse site: Certificate expired yesterday

Question

We're having a strange situation again after it happened last week already on our SFOS 19.0.1 XG430: 
 Some users browse to a website that has no exceptions on our firewall for decryption. 
 The browser (firefox or chrome) show an error that the site is not secure. If you check for the details, you can see, the website has been re-encrypted by the firewall root ca - so far so normal - but the certificate shown has expired yesterday. That is why the page is blocked. This situation is only for some users that are behind a SD-RED60 from our current debugging. 
 I can see the users that hit the issue with some website do not appear in the TLS logs, insteady their requests only appear in the Webfilter Logs. 
 Those users that can access the websites, show in both: Webfilter and TLS logs. 
 Here one example for the website handelsregister.de 
 Here it works: 
 Decrypted by Sophos EP on last instance. Cert valid until may 10th.

Lets check the real certificate Chain:

And this is it on the endpoints behind SD-RED60:

Michael Dunn · Accepted Answer

May be related to NC-100265 which was resolved in 19.5 GA. Certificates created by the XG for HTTPS decryption expire after two years. During the upgrade to 18.0 GA (released Jan 2020) we cleared the cert cache but has not been cleared automatically since. So people who upgraded/installed to 18.0 GA really early and are not yet on 19.5 GA may experience this problem. The workaround is relatively simple. Web Service will be interrupted for a minute or two, so do this during off hours. Non web traffic will not be affected. touch /var/certcache/.clear_all_certs_on_reload service -ds nosync awarrenhttp:restart If this does not resolve the problem it may be a different cause - complicated by the fact that you have XG, RED, and EP all potentially trying to do HTTPS decryption.

HTTPS decryption: Some users cannot browse site: Certificate expired yesterday

Top Replies