This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
IZoom
Contributor
‎2021-10-19 09:24 AM

HTTPS Inspection Certificate Expired / R3 - Let's Encrypt

Jump to solution

Hi,

 

I have just enabled HTTPSi and wondering about logs.

 

All pages with R3 certificates reports Certificate Expired, even the cert is OK, all cert path is OK. Only one thing I found in certs is missing CRL/OCSP info, but I don't believe this is a root case for HTTPSi errors.

 

anyone facing such issue too?

 

(1800 / R80.20.35)

 

 

0 Kudos
2 Solutions

Accepted Solutions
Tom_Hinoue
Advisor
‎2021-10-20 01:38 AM
In response to IZoom

Jump to solution

@IZoom 
Regarding Missing CA's like [ISRG Root X1/X2] related to Let's Encrypt, we raised a case for it and received a hotfix including the additional CA's. It should be included in [R80.20.35 Build 992002480], so try contacting TAC if you want to try it.

View solution in original post

0 Kudos
IZoom
Contributor
‎2021-11-20 10:59 AM
In response to Tom_Hinoue

Jump to solution

OK, finally find some time to play with. The root case was that automatic update of trusted root certification authorities / in https inspection console / was not working. After manual update everything working fine.

In documentation is written you can disable automatic updates, but I did not found such option. There is only notify me about new updates (without choosing method).

View solution in original post

0 Kudos
7 Replies
Amir_Ayalon
Employee
Employee
‎2021-10-19 09:48 AM

Jump to solution

some R3 certificates reach timeout (maybe due to missing CRL info), and in this case the behavior is trust unreachable CRL (the site is loading and not blocked)

 

0 Kudos
IZoom
Contributor
‎2021-10-20 12:24 AM
In response to Amir_Ayalon

Jump to solution

Thank you for reply. Should not be the error message "Missing CRL" or something like that? The error message in this case looks not pointing to  real issue.

Tom_Hinoue
Advisor
‎2021-10-20 01:38 AM
In response to IZoom

Jump to solution

@IZoom 
Regarding Missing CA's like [ISRG Root X1/X2] related to Let's Encrypt, we raised a case for it and received a hotfix including the additional CA's. It should be included in [R80.20.35 Build 992002480], so try contacting TAC if you want to try it.

0 Kudos
Tom_Hinoue
Advisor
‎2021-10-20 01:45 AM
In response to Tom_Hinoue

Jump to solution

"Invalid CRL Retrieved" and "No Valid CRL" error messages in HTTPS Detect Logs
This may relate as well, which I believe is not included in Gaia Embedded

0 Kudos
IZoom
Contributor
‎2021-11-20 10:59 AM
In response to Tom_Hinoue

Jump to solution

OK, finally find some time to play with. The root case was that automatic update of trusted root certification authorities / in https inspection console / was not working. After manual update everything working fine.

In documentation is written you can disable automatic updates, but I did not found such option. There is only notify me about new updates (without choosing method).

0 Kudos
IZoom
Contributor
‎2021-11-25 10:32 AM
In response to Tom_Hinoue

Jump to solution

Hi,

can you see as well the Invalid CRL retrieved from all sites signed by LE/R3/...?

In the certificate itself is missing CRL or OCSP. Found something related in sk172345. It is strange, that you are able trough AIA verify revoked certificates, but CHP print lot of errors.

0 Kudos
IZoom
Contributor
‎2021-11-25 10:45 AM
In response to IZoom

Jump to solution

found sk172345, where checkpoint requires CRL & OCSP... Strange, that all systems incl. ssllabs.com has no issue with that.

0 Kudos