Jump to content

Website Certificate Revoked


Go to solution Solved by GrantG,

Recommended Posts

Hi.

One of our customers is getting a lot of "Certificate Revoked" errors from ESET Antivirus since 1.10.2021. Accessing these sites not via ESET does not show any problem. What seems to be common to all these sites is that they are using Let's Encrypt and OCSP Stapling.

Here is one example: https://app.softgarden.io

Any ideas how to track down the problem.

THX a lot.

Link to comment
Share on other sites

  • Solution

This will be due to the Let's Encrypt "DST Root CA X3 DST" certificate authority expiring on the 30th September.  We have the same issue with 1 of our customers who use ESET Endpoint Security.  None of our other customers have issues.  Even though our certificate is valid ESET gives the same error and prevents access because one of the 2 paths has now expired.  Seems to be that ESET doesn't check the new/current cert authority "ISRG Root X1" for the multi-path Let's Encrypt certs, or something like that.

I am going to renew our certificates early to remove reference to the old cert authority to see if that fixes the issue.

Link to comment
Share on other sites

To track down the problem, is there an easy method to disable HTTPS inspection on the ESET client. I tried to pause Web-Protection on the client for 10 minutes however I see that the website is still signed by the ESET proxy cert.

Link to comment
Share on other sites

  • Administrators
Just now, offbyone said:

To track down the problem, is there an easy method to disable HTTPS inspection on the ESET client. I tried to pause Web-Protection on the client for 10 minutes however I see that the website is still signed by the ESET proxy cert.

Did you restart the browser? Tried clearing cache?

Link to comment
Share on other sites

I've manually renewed the Let's Encrypt certificates in question now and the optional expired path in the chain has now gone.  This should resolve the client issue with ESET for us although I do question if it should have been necessary as the certificates were still valid.  Anyway, I hope this helps.

Link to comment
Share on other sites

33 minutes ago, GrantG said:

Anyway, I hope this helps.

Indeed it did.

This was the missing hint to get to the root of the problem.

THX again.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...