XG shows site access error of expired SSL certificate - when certificate is still valid

Hi folks,

I now have a second site with the same issue. The second site's certificate expires in Sept 2020.

I would suspect the the XG has a date validation issue, the issue started just after midnight my time (EAST).

Both sites are European, whereas the US, Australia I don't have an issue with.

Ian

Seems to be releated to the expired root certificate of USERtrust https://support.sectigo.com/articles/Knowledge/Sectigo-AddTrust-External-CA-Root-Expiring-May-30-2020 and the alternative verification path.

See: https://www.ssllabs.com/ssltest/analyze.html?d=www.idnes.cz

Best regards,
Andreas

Hi Andreas,

thank you for that investigation and update.

Ian

Hey Ian,

you could just remove the expired AddTrust-Root from Certificates → Certificate Authorities and all cross-signed certificates should work as expected.

Best regards,
Andreas

Hi AndreasBeutel,

thank you, issue resolved.

Ian

Hi guys, started to investigate this as well this morning, but with startpage.com. All the suggestions here solved the issue.

Thanks!

Hi all,

ok it works but now the question is: Why Sophos XG doesn't support USERTRust?

A legacy browser or older device that does not have the modern “USERTRust” root would not trust it and so would look further up the chain to a root it does trust, the AddTrust External CA Root. A more modern browser would have the USERTrust root already installed and trust itwithout needing to rely on the older AddTrust root.

Max.

Hej Max,

IMHO it‘s not »Sophos not supporting UserTrust« but more a thing of older versions of OpenSSL not doing the multipath check correctly. Also GnuTLS has a bug which has been fixed some days ago. So this problem occurs more or less due to »broken« SSL libraries...

Best regards,

Andreas