If you’re running a Sophos UTM firewall, you may start noticing websites not loading properly, or presenting an error reporting that a root CA has expired.
PLEASE NOTE: If you are experiencing this on September 2021 or later, please see DST Root CA X3 Certificate Expiration Problems and Fix.
The error presented is below:
Webpages that do not present an error may fail to load, or only load partial parts of the page.
Update June 3rd 2020 – There are reports that this issue is also occurring with other vendors security solutions as well (such as Palo Alto Firewalls).
The Issue
This is due to some root CA (Certificate Authority) certificates expiring.
Particularly this involves the following Root CA Certificates:
- AddTrust AB – AddTrust External CA Root
- The USERTRUST Network – USERTrust RSA Certification Authority
- The USERTRUST Network – USERTrust ECC Certification Authority
Read more about the particular issue here: https://support.sectigo.com/Com_KnowledgeDetailPage?Id=kA03l00000117LT
The Fix
To resolve this, we must first disable 3 of the factory shipped Root CA’s (listed above) on the Sophos UTM, and then upload the new Root CAs.
You’ll need to go to the following links (as referenced on Sectigo’s page above, and download the new Root CAs:
USERTrust RSA Root CA (Updated) – https://crt.sh/?id=1199354
USERTrust ECC Root CA (Updated) – https://crt.sh/?id=2841410
When you go to each of the above pages, click on “Certificate” as shown below, to download the Root CA cert.
Do this for both certificates and save to your system.
Now we must update and fix the Sophos UTM:
- Log on to your Sophos UTM Web Interface
- Navigate to “Web Protection”, then “Filtering Options”, then select the “HTTPS CAs” tab.
- Browse through the list of “Global Verification CAs” and disable the following certificates:
- AddTrust AB – AddTrust External CA Root
- The USERTRUST Network – USERTrust RSA Certification Authority
- The USERTRUST Network – USERTrust ECC Certification Authority
- Scroll up and under “Local Verification CAs”, use the “Upload local CA” to upload the 2 new certificates you just downloaded.
- Make sure they are enabled.
After you complete these steps, verify they are in the list.
After performing these steps you must restart the HTTPS Web filter Scanning services or restart your Sophos UTM.
The issue should now be resolved. Leave a comment and let me know if it worked for you!