• Duo 2-Factor Authentication fails with certificate validation issues
• Received notice from Duo that certificate bundle expiration or revocation

• EDR Server: All Supported Versions

The Duo_client certificate bundle is revoked or expired.

To restore or avoid authentication service disruption, update the pinned certificate bundle in the Duo_client Python module to the latest CA pinning bundle version.

     1. Retrieve the updated Duo Certificate Authority certificate bundle PEM file from https://github.com/duosecurity/duo_client_python/blob/master/duo_client/ca_certs.pem

curl -o /tmp/ca_certs.pem https://raw.githubusercontent.com/duosecurity/duo_client_python/refs/heads/master/duo_client/ca_certs.pem

     2. Backed up the existing PEM file on the server:

cp /usr/share/cb/virtualenv/lib/python3.10/site-packages/duo_client/ca_certs.pem /usr/share/cb/virtualenv/lib/python3.10/site-packages/duo_client/ca_certs.pem.bak

     3. Updated the contents of the file ca_certs file in the Duo python module:

cat /tmp/ca_certs.pem > /usr/share/cb/virtualenv/lib/python3.10/site-packages/duo_client/ca_certs.pem

     4. Restarted the cb-enterprise service.

How to Start, Stop and Restart EDR Application Services

• The article is to address the official Duo certificate authority bundle expiration announcement