Today, in my work all sites with Letsencrypt showed the message " This Connection is Invalid. SSL certificate expired.". But the error is with my SSL inspection with Letsencrypt. Without the SSL inspection the access is functioning.
This week we updated some records in letsencrypt.
Is there any chance of blocking addresses in your environment?
Error:
This Connection is Invalid. SSL certificate expired.
A secure connection to www.cnnbrasil.com.br cannot be established.
When you try to connect securely, sites will present trusted identification to prove that you are going to the right place. However, this site's identity can't be verified.
Site www.cnnbrasil.com.br
Certificate CN www.cnnbrasil.com.br
Certificate Authority R3
Can you explain us this a littlebit more? You're using an SSL inspection tool and the error mentioned shows when connecting to sites using Let's Encrypt certificates? Without the tool everything is fine?
The mentioned site is using the correct default Let's Encrypt certificate chain.
If you are using some tool to inspect SSL traffic, it is possible that it is unable to find the correct chain to validate the certificate after the DST Root CA X3 expires.
The vast majority of software uses the operating system store to create certificate chains. It is important that the operating system or software you are using has the ISRG Root X1 certificate in your store.
Exactly. My firewall has SSL inspection feature and this morning we had this SSL alert only with sites that use letsencrypt. As an immediate solution, it was necessary to configure the SSL inspection bypassing feature to work.
A root certificate used by Let's Encrypt (DST Root CA X3) has expired very recently. It is possible that your firewall can't handle this and is causing the issues you're seeing.
You could try removing the DST Root CA X3 certificate from the trust store used by the firewall, wherever that is. This might help.
Otherwise, if you control the servers you're connecting to, you can configure the servers to send what Let's Encrypt calls the "alternate chain". This chain does not include the expired certificate. The disadvantage is that this chain is not compatible with Android < 7.1 devices.
Unfortunately we do not manage the servers as they are public.
I can only manage with the firewall so that the SSL inspection tool performs the procedure with websites with letsencrypt and continues to work without the error mentioned above.
That FN blog post has already been posted in this forum (in another topic); as well as the KB article FN published that same day.
Please add anything to that post that might help others better understand your specific problem and the solution/workarounds you've tried and their outcome(s).
