This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Firmware 4.3.8.1 & expired certificate 30th May 2020

We're currently running 4.3.8.1 across all web appliances / single management appliance (it's been stable, we've had random issues in the past and do not update unless a specific reason forces us to..).

Today we experienced https scanning issues with some sites. All sites scanned through SSL Labs showed an expired cert 30th May 2020. Relating to this article:-

https://thesslonline.com/blog/sectigo-addtrust-external-ca-root-expiring-may-30-2020


Has anyone else had https inspection issues today on later firmware versions 4.3.9, 4.3.9.1 or 4.3.10 ??

Does the following bug fix listed in 4.3.9 release notes cover this specific issue?

NSWA-1634

The trusted CA certificates used for certificate validation have been updated.

Does updating to later versions replace the appliance cert used for https inspection?

 

Interested in comments from Sophos dev team if they are on this channel.

Thanks in advance!



This thread was automatically locked due to age.
  • Hi  

    Unfortunately, we aren't able to provide exact numbers, but the release is now GA and available for all devices.
    Thanks,
    Yashraj Singha
    Manager | Global Community Support
    Are you a Sophos Partner? | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • We're on v4.3.10.1 since Sunday evening and still face this issue...

       
  • Hi

    According to multiple reports the issue is not resolved, why is it taking so many days to confirm why people are saying the issue still exists - if Sophos believe it is resolved.

    Look at the most recent comment before my reply. Others are saying the problem remains.

     

  • Hello,

    If you are still experiencing issues, please ensure that you have performed these steps.

    • Please check that there a no Sectigo Certificates/affected websites certificates not added in the "Configuration > Global Policy > Certificate Validation > Check the custom cert list"
    • Please try clearing the "Certificate Cache" under the "Configuration > Global policy > General options > Clear Certificate Cache". Please do this during downtime only. Wait for 15 to 20 minutes after doing this as it may take several minutes.
    • Please reboot the web appliance/s one by one after that.

    Regards,

     


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Issue can still occur if you have added the AddTrust External CA or UserTrust certificate manually. 

    Please try removing those certificates from the certificate validation page if they are listed. 

  • The certificate cache maybe holding onto the bad certificate. 

    Clear the certificate cache under Global Policy > General > clear certificate cache

    reboot appliance

  • Thank you emmosophos and Draco!

    Stupid me didnt thought about going through the certification validation list. We had the expired one listed there. Removing this (and several other expired ones) seems to did the trick.

  • Hi Duncan, did the latest advisories resolve the issue for you?

  • Hi  

    Wondered if you could do us a favour, could you test this URL through your updated appliances and confirm if it fails certificate validation?

    https://hedd.ac.uk

     

  • Summary of actions taken to date ...

    Please check that there a no Sectigo Certificates/affected websites certificates not added in the "Configuration > Global Policy > Certificate Validation > Check the custom cert list"

    Difficult to justify the time to complete this step for more than 30 websites identified with the issue in our environment.

    Issue can still occur if you have added the AddTrust External CA or UserTrust certificate manually. Please try removing those certificates from the certificate validation page if they are listed.

    Checked out certificates and located one for AddTrust External CA which was likely added when first trying to troubleshoot the issue ... was expired so deleted. Found 4 certificates issued by USERTrust RSA Certificate Authority all current with expiry date years in the future did not take any action in regards to these.

    Please try clearing the "Certificate Cache" under the "Configuration > Global policy > General options > Clear Certificate Cache". Please do this during downtime only. Wait for 15 to 20 minutes after doing this as it may take several minutes.

    Completed this task on each Web Proxy Appliance in our cluster.

    Please reboot the web appliance/s one by one after that.

    Completed this task on each Web Proxy Appliance in our cluster.


    I have been slowly (one at a time with testing for each) been removing websites from the HTTPS Scanning Exemptions. Completed 12 websites on Friday. Have re-checked them this morning (Monday) and all are still working normally. So the indications are that the issues have been resolved but I will still be taking a cautious approach to minimise any impact on our users working to towards a point where all websites previously added to the HTTPS Scanning Exemptions have been removed.

    Hope this helps.

    Cheers,
    Duncan