In some cases, if the 'show security trust-package' CLI command shows a trust package created after Monday, October 22nd 2018 20:41:47 UTC then this issue may not occur and the Edge SWG (ProxySG) can be upgraded directly to a later SGOS release without following these steps.
Release : pre SGOS 6.7.4.3
The solution is to change the clock to Jan 1, 2020 so the Edge SWG (ProxySG) will think the certificate is still valid, and then upgrade to SGOS 6.7.4.3. Once the box is at 6.7.4.3, the box can be upgraded to its final destination. After upgrading successfully, set the clock back.
Instruction from the GUI:
To set the clock back to a date before the certificate expires:
To upgrade the Edge SWG (ProxySG) from a local file:
To upgrade the Edge SWG (ProxySG) from a URL:
As the clock is set back, TLS connections will fail. Any URL will need to be HTTP, and not HTTPS. There are still some situations in which upgrading by URL will not work, and so please upgrade via local file if the following does not work for you.
Once the box is back up, follow the same process for the version of SGOS you are upgrading to. Once you are on your final version, follow the instructions on changing the clock to put the date back, and re-enable NTP if it was configured.
Instructions from CLI:
To set the clock to Jan 1, 2020:
To upgrade the Edge SWG (ProxySG) from a URL:
Because the clock is no longer current, TLS connections will fail. Any URL will need to be HTTP, and not HTTPS. There are still some situations in which upgrading by URL will not work, and so please upgrade via local file in GUI if the following does not work for you.
From the command line:
Below is some sample output of what the upgrade would look like had the date been Jan 10, 2020.
Once the box is back up, follow the same process for the version of SGOS you are upgrading to. Once you are on your final version, follow the instructions on changing the clock to put the date back, and re-enable NTP if it was configured.