Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
IZoom
Contributor

HTTPS Inspection Certificate Expired / R3 - Let's Encrypt

Jump to solution

Hi,

 

I have just enabled HTTPSi and wondering about logs.

 

All pages with R3 certificates reports Certificate Expired, even the cert is OK, all cert path is OK. Only one thing I found in certs is missing CRL/OCSP info, but I don't believe this is a root case for HTTPSi errors.

 

anyone facing such issue too?

 

(1800 / R80.20.35)

 

 

0 Kudos
2 Solutions

Accepted Solutions
Tom_Hinoue
Advisor

@IZoom 
Regarding Missing CA's like [ISRG Root X1/X2] related to Let's Encrypt, we raised a case for it and received a hotfix including the additional CA's. It should be included in [R80.20.35 Build 992002480], so try contacting TAC if you want to try it.

View solution in original post

0 Kudos
IZoom
Contributor

OK, finally find some time to play with. The root case was that automatic update of trusted root certification authorities / in https inspection console / was not working. After manual update everything working fine.

In documentation is written you can disable automatic updates, but I did not found such option. There is only notify me about new updates (without choosing method).

View solution in original post

0 Kudos
7 Replies
Amir_Ayalon
Employee
Employee

some R3 certificates reach timeout (maybe due to missing CRL info), and in this case the behavior is trust unreachable CRL (the site is loading and not blocked)

 

0 Kudos
IZoom
Contributor

Thank you for reply. Should not be the error message "Missing CRL" or something like that? The error message in this case looks not pointing to  real issue.

Tom_Hinoue
Advisor

@IZoom 
Regarding Missing CA's like [ISRG Root X1/X2] related to Let's Encrypt, we raised a case for it and received a hotfix including the additional CA's. It should be included in [R80.20.35 Build 992002480], so try contacting TAC if you want to try it.

View solution in original post

0 Kudos
Tom_Hinoue
Advisor

"Invalid CRL Retrieved" and "No Valid CRL" error messages in HTTPS Detect Logs
This may relate as well, which I believe is not included in Gaia Embedded

0 Kudos
IZoom
Contributor

OK, finally find some time to play with. The root case was that automatic update of trusted root certification authorities / in https inspection console / was not working. After manual update everything working fine.

In documentation is written you can disable automatic updates, but I did not found such option. There is only notify me about new updates (without choosing method).

View solution in original post

0 Kudos
IZoom
Contributor

Hi,

can you see as well the Invalid CRL retrieved from all sites signed by LE/R3/...?

In the certificate itself is missing CRL or OCSP. Found something related in sk172345. It is strange, that you are able trough AIA verify revoked certificates, but CHP print lot of errors.

0 Kudos
IZoom
Contributor

found sk172345, where checkpoint requires CRL & OCSP... Strange, that all systems incl. ssllabs.com has no issue with that.

0 Kudos