"Block invalid certificates" option blocks valid certificates

Question

I've been trying out the "block invalid certificates" option under web protection and have noticed that some valid certificates are blocked with error message "SSL error: unable to get local issuer certificate". Most blocked sites are ad networks but unfortunately some more necessary sites as well. When verifying the blocked certificates on another internet connection they are all fine in Chrome/Internet Explorer/Safari etc. 
 Anyone else having these issues?

DouglasFoster · Accepted Answer

Servers are supposed to provide both their identity certificate and their intermediate certificate(s) in response to the Client Hello. Many system managers do not install their certificates correctly, so the intermediate certificate is missing from the chain, which makes it untrusted. 
 The major browsers use a feature called AIA Fetching to locate the missing certificate from a trusted source. UTM does not have this feature, and I suspect that XG lacks it as well. 
 To test whether a certificate is actually valid or not, you need to use an SSL Test utility. Your certificate vendor will have one. For a comprehensive test, use the server test utility at ssllabs . com 
 Assuming this is the cause, and that you trust the site, this process should be a viable workaround: 
 
 Navigate to the site with a browser (Except Edge, which cannot display what you need) 
 Open the certificate properties. This is clunk on Chrome. On older versions of I.E., just use File.. Properties... [Certificates] 
 On the certificate path tab, navigate to the missing certificate and view its properties. 
 On the Details tab of that window, choose the option to save to file. 
 Import the intermediate certificate as if it was a root certificate. 
 
 One of the purposes of an intermediate certificate is to rapidly and automtically invalidate a lot of certificates if a problem occurs, since root certificates cannot be invalidated. I am not aware of this drastic measure being used, but you should be aware that by installing the certificate as a root, it can no longer be invalidated if that situation arises. (A manual delete would be needed instead.) 
 Of course, certificate revocation only works if your device performs certificate revocation checks. You might ask whether XG does, or can. 
 Another common server error is to include the root certificate in the download chain. UTM used to reject those certificate chains as well, but it does not any more. I am guessing that XG will have the ability to ignore the unwanted certificate as well. 
 Occasionally, I have encountered servers with the chain ordered incorrectly. 
 Once you do the server test on the certificates involved, you will know which configuration error is giving you problems.