Error "Expired SSL Server Certificate (ssl_server_cert_expired)" when going through the ProxySG or ASG for Comodo sites

book

Article ID: 191944

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG ProxySG Software - SGOS

Issue/Introduction

When navigating to sites signed by "AddTrust External CA Root" while going through a ProxySG or Advance Secure Gateway (ASG), the user will be denied
access with the error message: "Expired SSL Server Certificate (ssl_server_cert_expired)".

Some sites affected include us.etrade.com, msp.elateral.com, www.theage.com.au, comodo.com,  and target.cbxcloud.com.

There doesn't appear to be an issue when going to these websites when bypassing the ProxySG or ASG.

Cause

On  May 30 2020 at 10:48:38 GMT, a CA certificate named the "AddTrust External CA Root" expired. 

This certificate was used as a signing certificate for newer root CA certificates via a cross-signing relationship including the "USERTrust RSA Certification Authority" and the "COMODO RSA Certification Authority".

Both the "USERTrust RSA Certification Authority and the "COMODO RSA Certification Authority" CA certificates are already present in the ProxySG Trust Package.

Even though the "AddTrust External CA Root" has expired, several web servers on the Internet are still presenting an old expired certificate chain in their server certificate TLS handshake message.  

This old certificate chain is rooted in the expired "AddTrust External CA Root" and also includes expired copies of the newer CA certificates. 

Such a chain looks like this:

CN=*.elateral.com
  CN=Sectigo RSA Organization Validation Secure Server CA
    CN=USERTrust RSA Certification Authority <<< NEW CA, BUT OLDER EXPIRED CERT
      CN=AddTrust External CA Root <<< EXPIRED ROOT

Web browsers ignore the expired certificate chain provided by the web server and validate the connection.  As they walk the certificate chain, they build an alternate trusted chain through their certificate store.

The ProxySG and ASG versions 6.7 and earlier rejects the connection due to the expired certificate chain provided by the web server.

Environment

 ProxySG or ASG with certificate validation.

Resolution

This is not an issue in SGOS 7.2 and later.

The resolution for SGOS 6.7 will be addressed with an updated trust package that removes the expired certificates (planned by end of day Jun 2, 2020).
See Upgrade of the ProxySG and ASG Trust Package - June 2, 2020

If using Workaround 1 or Workaround 2 below, be sure to remove the policy after applying the trust package update.


Use one of the following workarounds to address this issue in the meantime:

Workaround 1

Disable Server certificate validation for affected destinations/sites in proxy policy

OR

Workaround 2

Enable server certificate validation for affected destinations/sites while ignoring certificate expiration and not
checking certificate revocation.

OR

Workaround 3

Manually remove AddTrust External CA Root from the "Browser Trusted" CCL


For Customers Running EOL SGOS Versions 6.5 or 6.6
After applying the trust package update to remove the expired root certificate, users receive the error message Untrusted SSL Server Certificate (ssl_server_cert_untrusted_issuer).

This workaround is not valid for these SGOS versions as the embedded OpenSSL versions utilized do not support alternate certificate chaining. Alternate certificate chaining is only available as of OpenSSL 1.0.1n / 1.0.2b while 6.5 and 6.6 utilize OpenSSL 1.0.1e and 1.0.1j, respectively. This means the proxy running on these versions can only validate the chain provided by the web server.

Customers running these versions must use workarounds 1 or 2 listed above. The only alternatives are to upgrade the appliances to 6.7+ or tolerate the error message until the website owners update their certificate chains.

Additional Information

https://calnetweb.berkeley.edu/calnet-technologists/incommon-sectigo-certificate-service/addtrust-external-root-expiration-may-2020
https://support.sectigo.com/Com_KnowledgeDetailPage?Id=kA01N000000rgSZ