ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Let's Encrypt Expired Certificate

book

Article ID: 226999

calendar_today

Updated On:

Products

Web Isolation Web Isolation Cloud Threat Isolation Gateway

Issue/Introduction

Your request contacted a host which presented an expired or invalid certificate when connecting to a site using a "Lets Encrypt" Issued Certificate.  So a redirected site may get bypassed instead of being isolated and the following errors are seen in the fireglass logs.

Error: PROBE_REDIRECT_ERROR
Error message: certificate has expired

 

A second example is for a video web isolation fetches for the client using the same certificate bundle with the old Lets Encrypt cert in it.  We would see the following errors in the fireglass logs.

Error: VIDEO_STREAMER_UNAUTHORIZED_CONNECTION
Error mesage: CERT_HAS_EXPIRED

Cause

DST Root CA X3 Expiration (September 30, 2021) and due to the cross signing nature of the certificate, the chain is being constructed with the expired cert. 

Environment

There are two scripts referenced in this article, one for 1.13.x & the other for 1.14.x, both written for WI on-prem

Resolution

You will need to remove the expired certificate from all web isolation gateways including the MGMT

 

Download & Run Script
ssh into all WI gateways (including MGMT box) and run the following syntax for the respective WI version

 

WI 1.13.x

su fireglass -c "fgcli fileserver download patch/BAL-2702/remove_cer_dst_1_13.sh /tmp/ && chmod +x /tmp/remove_cer_dst_1_13.sh && /tmp/remove_cer_dst_1_13.sh"

 

WI 1.14.x

su fireglass -c "fgcli fileserver download patch/BAL-2702/remove_cer_dst.sh /tmp/ && chmod +x /tmp/remove_cer_dst.sh && /tmp/remove_cer_dst.sh"

 

***note: patch will cause up to 1 minute of downtime***

 

Backout Script
run the following syntax only if there was an error or unexpected results from the script above, it will revert the changes

 

WI 1.13.x

su fireglass -c "fgcli fileserver download patch/BAL-2702/remove_cer_dst_1_13_revert.sh /tmp/ && chmod +x /tmp/remove_cer_dst_1_13_revert.sh && /tmp/remove_cer_dst_1_13_revert.sh"

 

WI 1.14.x

su fireglass -c "fgcli fileserver download patch/BAL-2702/remove_cer_dst_REVERT.sh /tmp/ && chmod +x /tmp/remove_cer_dst_REVERT.sh && /tmp/remove_cer_dst_REVERT.sh"

Additional Information

If a downstream BlueCoat proxySG is being used to forward traffic to web isolation, please refer to the following KB to remove the expired cert on the SG appliance.

https://knowledge.broadcom.com/external/article?articleId=225163

 

For more specific details see the article below from Let's Encrypt regarding the expiration. 

https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/