Starting 30th May 2020, users may find that certain websites are blocked with the message "The server's certificate has expired". In our tests this affects 7,000 of the top 1,000,000 websites (0.7%), and includes sites such as https://nyu.edu
This is due to the expiry of a key HTTPS certificate authority, and an issue in the GnuTLS library used by a wide range of different software.
To resolve this issue:
1. On your Smoothwall Filter (on-premise) navigate to System > Certificates > Certificate Authorities
2. Find 'AddTrust External CA Root's AddTrust AB certificate" and "COMODO RSA Certification Authority's COMODO CA Limited certificate "and click the tickboxs to the right hand side.
3. Scroll to the bottom of the page and click the 'Delete' button
4. Go to Guardian > HTTPS Inspection > Settings, and click the 'Clear and restart' button next to 'Cached certificates'.
Please note: This will perform a hard restart of the web filter service, causing loss of access to the Internet for a few minutes for your users. You may wish to do this out of hours depending on how severely your users are affected
5. Once the filter has restarted, try to request an affected website - it should now not be blocked for the above reason. You can use https://nyu.edu as a test
Technical background
GnuTLS is a software component which is used to provide SSL/TLS functionality and is incorporated in a wide range of different software. Smoothwall use it as part of the filter to encrypt/decrypt and validate HTTPS traffic.
The 'AddTrust' CA, managed by Sectigo expired on May 30th. Typically this is not a problem, because certificates used on websites are 'cross-signed', meaning that they are connected to multiple root CAs. AddTrust was a legacy CA that had been replaced by more modern CA certificates over the last few years.
However it became clear on May 30th that an issue in the GnuTLS library meant that it was not falling back to the newer CAs after this one had expired. Changes to the way in which GnuTLS handles this are being rapidly developed, and we expect to be able to release this functionality to Smoothwall customers shortly.
The simple solution is to completely remove the expired certificate, so that GnuTLS automatically uses the newer CAs to validate the connections. That is the process described above.
Shortly Smoothwall will release update Leeds 35 which will automatically remove this certificate, but we appreciate some customers may not be in a position to upgrade, or cannot wait for this, so please follow the above steps.
This only affects the on-premise filter. Cloud filter is unaffected.
If you have any questions or queries, please contact our support team or your account representative.