Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 1249 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

HTTPS-Scanning some Website-Certs unvalid (expired)

Mr.Roboto

have a strange problem here with an XG cluster. On 07.06.22 there was a problem with the onsite NTP service. After the failure, which lasted about 5 minutes, some websites such as google.com can no longer be accessed in a browser because the certificate of the website expired on 07/06/22.

Background:
The XG provides clients with an HTTP proxy with active HTTPS scanning. The local certificate of the XG is used. Funny is that the root certificate is still valid for a long time, only the certificate of the website itself has expired.

Does anyone have a clue?

I have already restarted the XG and also updated from V18.5.2 to the current V19.



This thread was automatically locked due to age.
Parents
  • 0

    The certificates are cached so that the cost of regenerating them is not incurred frequently.
    They are stored as files in /var/certcache

    If I recall there was an issue with clearing them. Something to do with deleting them on a running system, or something to do with performance when deleting ten thousand small files.

    On occasion when we have to delete them we do:
    touch /var/certcache/.clear_all_certs_on_reload

    And then reboot the box. Note that the reboot might take longer than normal.

  • 0 in reply to Michael Dunn

    Thank you.
    I would open a ticket again since it is a HA cluster before I break something.
    Too bad there are no built-in commands for such tasks.

Reply Children
Unfiltered HTML