This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
IZoom
Contributor
Contributor
‎2021-10-19 09:24 AM
Jump to solution

HTTPS Inspection Certificate Expired / R3 - Let's Encrypt

Hi,

 

I have just enabled HTTPSi and wondering about logs.

 

All pages with R3 certificates reports Certificate Expired, even the cert is OK, all cert path is OK. Only one thing I found in certs is missing CRL/OCSP info, but I don't believe this is a root case for HTTPSi errors.

 

anyone facing such issue too?

 

(1800 / R80.20.35)

 

 

0 Kudos
2 Solutions

Accepted Solutions
Tom_Hinoue
Advisor
Advisor
‎2021-10-20 01:38 AM
In response to IZoom
Jump to solution

@IZoom 
Regarding Missing CA's like [ISRG Root X1/X2] related to Let's Encrypt, we raised a case for it and received a hotfix including the additional CA's. It should be included in [R80.20.35 Build 992002480], so try contacting TAC if you want to try it.

View solution in original post

0 Kudos
IZoom
Contributor
Contributor
‎2021-11-20 10:59 AM
In response to Tom_Hinoue
Jump to solution

OK, finally find some time to play with. The root case was that automatic update of trusted root certification authorities / in https inspection console / was not working. After manual update everything working fine.

In documentation is written you can disable automatic updates, but I did not found such option. There is only notify me about new updates (without choosing method).

View solution in original post

0 Kudos
7 Replies
Amir_Ayalon
Employee
Employee
‎2021-10-19 09:48 AM
Jump to solution

some R3 certificates reach timeout (maybe due to missing CRL info), and in this case the behavior is trust unreachable CRL (the site is loading and not blocked)

 

0 Kudos
IZoom
Contributor
Contributor
‎2021-10-20 12:24 AM
In response to Amir_Ayalon
Jump to solution

Thank you for reply. Should not be the error message "Missing CRL" or something like that? The error message in this case looks not pointing to  real issue.

Tom_Hinoue
Advisor
Advisor
‎2021-10-20 01:38 AM
In response to IZoom
Jump to solution

@IZoom 
Regarding Missing CA's like [ISRG Root X1/X2] related to Let's Encrypt, we raised a case for it and received a hotfix including the additional CA's. It should be included in [R80.20.35 Build 992002480], so try contacting TAC if you want to try it.

0 Kudos
Tom_Hinoue
Advisor
Advisor
‎2021-10-20 01:45 AM
In response to Tom_Hinoue
Jump to solution

"Invalid CRL Retrieved" and "No Valid CRL" error messages in HTTPS Detect Logs
This may relate as well, which I believe is not included in Gaia Embedded

0 Kudos
IZoom
Contributor
Contributor
‎2021-11-20 10:59 AM
In response to Tom_Hinoue
Jump to solution

OK, finally find some time to play with. The root case was that automatic update of trusted root certification authorities / in https inspection console / was not working. After manual update everything working fine.

In documentation is written you can disable automatic updates, but I did not found such option. There is only notify me about new updates (without choosing method).

0 Kudos
IZoom
Contributor
Contributor
‎2021-11-25 10:32 AM
In response to Tom_Hinoue
Jump to solution

Hi,

can you see as well the Invalid CRL retrieved from all sites signed by LE/R3/...?

In the certificate itself is missing CRL or OCSP. Found something related in sk172345. It is strange, that you are able trough AIA verify revoked certificates, but CHP print lot of errors.

0 Kudos
IZoom
Contributor
Contributor
‎2021-11-25 10:45 AM
In response to IZoom
Jump to solution

found sk172345, where checkpoint requires CRL & OCSP... Strange, that all systems incl. ssllabs.com has no issue with that.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events