Hi Community,

Overview

Websites that are signed by Sectigo root CA may fail to connect and a certificate validation failed due certificate AddTrust External CA Root expired on May 30th 2020

An issue occurs cause OpenSSL checks the certificate chain path which leads to an expired 'AddTrust External CA'. Hence you may observe sites that are signed by Sectigo root CA may fail to connect and a certificate validation failed message displayed to the end-user

If you have a site that has an expired certificate and is processed by Sophos Web appliance it would block the website by certificate verification. 

Here is a sample of the packet capture when the remote server would present the CA certificate which has expired.

If the certificate which is expired is presented to Sophos Web Appliance, it would check for validation of the certificate and would determine if it's valid or not. Users would see the following error message

For more information, please visit this article: https://community.sophos.com/kb/en-us/135544