HTTPS-Scanning some Website-Certs unvalid (expired)

Question

have a strange problem here with an XG cluster. On 07.06.22 there was a problem with the onsite NTP service. After the failure, which lasted about 5 minutes, some websites such as google.com can no longer be accessed in a browser because the certificate of the website expired on 07/06/22.

Background:
The XG provides clients with an HTTP proxy with active HTTPS scanning. The local certificate of the XG is used. Funny is that the root certificate is still valid for a long time, only the certificate of the website itself has expired.

Does anyone have a clue?

I have already restarted the XG and also updated from V18.5.2 to the current V19.

This thread was automatically locked due to age.

Michael Dunn · Answer

The certificates are cached so that the cost of regenerating them is not incurred frequently. They are stored as files in /var/certcache 
 If I recall there was an issue with clearing them. Something to do with deleting them on a running system, or something to do with performance when deleting ten thousand small files. 
 On occasion when we have to delete them we do: touch /var/certcache/.clear_all_certs_on_reload 
 And then reboot the box. Note that the reboot might take longer than normal.

HTTPS-Scanning some Website-Certs unvalid (expired)

Top Replies