Let's Encrypt Expired Certificate
search cancel

Let's Encrypt Expired Certificate


Article ID: 226999


Updated On:


Web Isolation Web Isolation Cloud


Your request contacted a host which presented an expired or invalid certificate when connecting to a site using a "Lets Encrypt" Issued Certificate.  So a redirected site may get bypassed instead of being isolated and the following errors are seen in the fireglass logs.

Error message: certificate has expired


A second example is for a video web isolation fetches for the client using the same certificate bundle with the old Lets Encrypt cert in it.  We would see the following errors in the fireglass logs.

Error mesage: CERT_HAS_EXPIRED


There are two scripts referenced in this article, one for 1.13.x & the other for 1.14.x, both written for WI on-prem


DST Root CA X3 Expiration (September 30, 2021) and due to the cross signing nature of the certificate, the chain is being constructed with the expired cert. 


You will need to remove the expired certificate from all web isolation gateways including the MGMT


Download & Run Script
ssh into all WI gateways (including MGMT box) and run the following syntax for the respective WI version


WI 1.13.x

su fireglass -c "fgcli fileserver download patch/BAL-2702/remove_cer_dst_1_13.sh /tmp/ && chmod +x /tmp/remove_cer_dst_1_13.sh && /tmp/remove_cer_dst_1_13.sh"


WI 1.14.x

su fireglass -c "fgcli fileserver download patch/BAL-2702/remove_cer_dst.sh /tmp/ && chmod +x /tmp/remove_cer_dst.sh && /tmp/remove_cer_dst.sh"


***note: patch will cause up to 1 minute of downtime***


Backout Script
run the following syntax only if there was an error or unexpected results from the script above, it will revert the changes


WI 1.13.x

su fireglass -c "fgcli fileserver download patch/BAL-2702/remove_cer_dst_1_13_revert.sh /tmp/ && chmod +x /tmp/remove_cer_dst_1_13_revert.sh && /tmp/remove_cer_dst_1_13_revert.sh"


WI 1.14.x

su fireglass -c "fgcli fileserver download patch/BAL-2702/remove_cer_dst_REVERT.sh /tmp/ && chmod +x /tmp/remove_cer_dst_REVERT.sh && /tmp/remove_cer_dst_REVERT.sh"

Additional Information

If a downstream BlueCoat proxySG is being used to forward traffic to web isolation, please refer to the following KB to remove the expired cert on the SG appliance.



For more specific details see the article below from Let's Encrypt regarding the expiration.