https://community.checkpoint.com/t5/Spark-Firewall-SMB/HTTPS-Inspection-Certificate-Expired-R3-Let-s-Encrypt/m-p/134938#M6091 <P>found&nbsp;sk172345, where checkpoint requires CRL &amp; OCSP... Strange, that all systems incl. ssllabs.com has no issue with that.</P> Thu, 25 Nov 2021 18:45:00 GMT IZoom 2021-11-25T18:45:00Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/HTTPS-Inspection-Certificate-Expired-R3-Let-s-Encrypt/m-p/132130#M5947 <P>Hi,</P><P>&nbsp;</P><P>I have just enabled HTTPSi and wondering about logs.</P><P>&nbsp;</P><P>All pages with R3 certificates reports Certificate Expired, even the cert is OK, all cert path is OK. Only one thing I found in certs is missing CRL/OCSP info, but I don't believe this is a root case for HTTPSi errors.</P><P>&nbsp;</P><P>anyone facing such issue too?</P><P>&nbsp;</P><P>(1800 / R80.20.35)</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 19 Oct 2021 16:24:44 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/HTTPS-Inspection-Certificate-Expired-R3-Let-s-Encrypt/m-p/132130#M5947 IZoom 2021-10-19T16:24:44Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/HTTPS-Inspection-Certificate-Expired-R3-Let-s-Encrypt/m-p/132132#M5948 <P>some R3 <SPAN>certificates&nbsp;reach timeout (maybe due to missing CRL info), and in this case the behavior&nbsp;is&nbsp;</SPAN>trust unreachable CRL (the site is loading and not blocked)</P> <P>&nbsp;</P> Tue, 19 Oct 2021 16:48:27 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/HTTPS-Inspection-Certificate-Expired-R3-Let-s-Encrypt/m-p/132132#M5948 Amir_Ayalon 2021-10-19T16:48:27Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/HTTPS-Inspection-Certificate-Expired-R3-Let-s-Encrypt/m-p/132178#M5951 <P>Thank you for reply. Should not be the error message "Missing CRL" or something like that? The error message in this case looks not pointing to&nbsp; real issue.</P> Wed, 20 Oct 2021 07:24:50 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/HTTPS-Inspection-Certificate-Expired-R3-Let-s-Encrypt/m-p/132178#M5951 IZoom 2021-10-20T07:24:50Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/HTTPS-Inspection-Certificate-Expired-R3-Let-s-Encrypt/m-p/132189#M5953 <P><a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/58088">@IZoom</a>&nbsp;<BR />Regarding Missing CA's like [ISRG Root X1/X2] related to Let's Encrypt, we raised a case for it and received a hotfix including the additional CA's. It should be included in [R80.20.35 Build 992002480], so try contacting TAC if you want to try it.</P> Wed, 20 Oct 2021 08:38:14 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/HTTPS-Inspection-Certificate-Expired-R3-Let-s-Encrypt/m-p/132189#M5953 Tom_Hinoue 2021-10-20T08:38:14Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/HTTPS-Inspection-Certificate-Expired-R3-Let-s-Encrypt/m-p/132190#M5954 <P><A title="&quot;Invalid CRL Retrieved&quot; and &quot;No Valid CRL&quot; error messages in HTTPS Detect Logs" href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk172345" target="_self">"Invalid CRL Retrieved" and "No Valid CRL" error messages in HTTPS Detect Logs</A><BR />This may relate as well, which I believe is not included in Gaia Embedded</P> Wed, 20 Oct 2021 08:45:28 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/HTTPS-Inspection-Certificate-Expired-R3-Let-s-Encrypt/m-p/132190#M5954 Tom_Hinoue 2021-10-20T08:45:28Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/HTTPS-Inspection-Certificate-Expired-R3-Let-s-Encrypt/m-p/134583#M6068 <P>OK, finally find some time to play with. The root case was that automatic update of trusted root certification authorities / in https inspection console / was not working. After manual update everything working fine.</P><P>In documentation is written you can disable automatic updates, but I did not found such option. There is only notify me about new updates (without choosing method).</P> Sat, 20 Nov 2021 18:59:31 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/HTTPS-Inspection-Certificate-Expired-R3-Let-s-Encrypt/m-p/134583#M6068 IZoom 2021-11-20T18:59:31Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/HTTPS-Inspection-Certificate-Expired-R3-Let-s-Encrypt/m-p/134937#M6090 <P>Hi,</P><P>can you see as well the Invalid CRL retrieved from all sites signed by LE/R3/...?</P><P>In the certificate itself is missing CRL or OCSP. Found something related in&nbsp;sk172345. It is strange, that you are able trough AIA verify revoked certificates, but CHP print lot of errors.</P> Thu, 25 Nov 2021 18:32:38 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/HTTPS-Inspection-Certificate-Expired-R3-Let-s-Encrypt/m-p/134937#M6090 IZoom 2021-11-25T18:32:38Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/HTTPS-Inspection-Certificate-Expired-R3-Let-s-Encrypt/m-p/134938#M6091 <P>found&nbsp;sk172345, where checkpoint requires CRL &amp; OCSP... Strange, that all systems incl. ssllabs.com has no issue with that.</P> Thu, 25 Nov 2021 18:45:00 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/HTTPS-Inspection-Certificate-Expired-R3-Let-s-Encrypt/m-p/134938#M6091 IZoom 2021-11-25T18:45:00Z