Your request contacted a host which presented an expired or invalid certificate when connecting to a site using a "Lets Encrypt" Issued Certificate. So a redirected site may get bypassed instead of being isolated and the following errors are seen in the fireglass logs.
Error: PROBE_REDIRECT_ERROR
Error message: certificate has expired
A second example is for a video web isolation fetches for the client using the same certificate bundle with the old Lets Encrypt cert in it. We would see the following errors in the fireglass logs.
Error: VIDEO_STREAMER_UNAUTHORIZED_CONNECTION
Error mesage: CERT_HAS_EXPIRED
There are two scripts referenced in this article, one for 1.13.x & the other for 1.14.x, both written for WI on-prem
DST Root CA X3 Expiration (September 30, 2021) and due to the cross signing nature of the certificate, the chain is being constructed with the expired cert.
You will need to remove the expired certificate from all web isolation gateways including the MGMT
Download & Run Script
ssh into all WI gateways (including MGMT box) and run the following syntax for the respective WI version
WI 1.13.x
su fireglass -c "fgcli fileserver download patch/BAL-2702/remove_cer_dst_1_13.sh /tmp/ && chmod +x /tmp/remove_cer_dst_1_13.sh && /tmp/remove_cer_dst_1_13.sh"
WI 1.14.x
su fireglass -c "fgcli fileserver download patch/BAL-2702/remove_cer_dst.sh /tmp/ && chmod +x /tmp/remove_cer_dst.sh && /tmp/remove_cer_dst.sh"
***note: patch will cause up to 1 minute of downtime***
Backout Script
run the following syntax only if there was an error or unexpected results from the script above, it will revert the changes
WI 1.13.x
su fireglass -c "fgcli fileserver download patch/BAL-2702/remove_cer_dst_1_13_revert.sh /tmp/ && chmod +x /tmp/remove_cer_dst_1_13_revert.sh && /tmp/remove_cer_dst_1_13_revert.sh"
WI 1.14.x
su fireglass -c "fgcli fileserver download patch/BAL-2702/remove_cer_dst_REVERT.sh /tmp/ && chmod +x /tmp/remove_cer_dst_REVERT.sh && /tmp/remove_cer_dst_REVERT.sh"
If a downstream BlueCoat proxySG is being used to forward traffic to web isolation, please refer to the following KB to remove the expired cert on the SG appliance.
https://knowledge.broadcom.com/external/article?articleId=225163
For more specific details see the article below from Let's Encrypt regarding the expiration.
https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/