https://live.paloaltonetworks.com/t5/general-topics/website-is-not-secure-certificate-is-expired/m-p/521127#M108009 <P>Hi everyone,&nbsp;</P> <P>Recently, I've seen an issue where if we use a computer that has its traffic routed through the PAN NGFW, we will get an error message from the website saying "Your connection is not private" with an error code:&nbsp;<SPAN>NET::ERR_CERT_COMMON_NAME_INVALID.&nbsp;</SPAN></P> <P><SPAN>This happen to 2 different websites I've seen so far. When we looked at the certificate it looks like the certificate of the websites are expired.&nbsp;</SPAN></P> <P><SPAN>However, the weird thing is that when the traffic is not routed through the firewall, for example, using a different computer and network, we are able to access those websites just fine with valid certificate.&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN>The URLs that we encountered this issues are:&nbsp;</SPAN></P> <P><SPAN>zetta.net.au</SPAN></P> <P><SPAN>airport.lk</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><SPAN>Please kindly let me know if you have experienced this issue before and how do you fix it.&nbsp;</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> Mon, 14 Nov 2022 06:04:20 GMT LuckyLau 2022-11-14T06:04:20Z https://live.paloaltonetworks.com/t5/general-topics/website-is-not-secure-certificate-is-expired/m-p/521127#M108009 <P>Hi everyone,&nbsp;</P> <P>Recently, I've seen an issue where if we use a computer that has its traffic routed through the PAN NGFW, we will get an error message from the website saying "Your connection is not private" with an error code:&nbsp;<SPAN>NET::ERR_CERT_COMMON_NAME_INVALID.&nbsp;</SPAN></P> <P><SPAN>This happen to 2 different websites I've seen so far. When we looked at the certificate it looks like the certificate of the websites are expired.&nbsp;</SPAN></P> <P><SPAN>However, the weird thing is that when the traffic is not routed through the firewall, for example, using a different computer and network, we are able to access those websites just fine with valid certificate.&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN>The URLs that we encountered this issues are:&nbsp;</SPAN></P> <P><SPAN>zetta.net.au</SPAN></P> <P><SPAN>airport.lk</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><SPAN>Please kindly let me know if you have experienced this issue before and how do you fix it.&nbsp;</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> Mon, 14 Nov 2022 06:04:20 GMT https://live.paloaltonetworks.com/t5/general-topics/website-is-not-secure-certificate-is-expired/m-p/521127#M108009 LuckyLau 2022-11-14T06:04:20Z https://live.paloaltonetworks.com/t5/general-topics/website-is-not-secure-certificate-is-expired/m-p/521338#M108042 <P>Hello,</P> <P>Do you have ssl decryption enabled? If the local test machine does not trust the certificate, you will get these messages.</P> <P>&nbsp;</P> <P>Regards,</P> Tue, 15 Nov 2022 22:30:50 GMT https://live.paloaltonetworks.com/t5/general-topics/website-is-not-secure-certificate-is-expired/m-p/521338#M108042 OtakarKlier 2022-11-15T22:30:50Z https://live.paloaltonetworks.com/t5/general-topics/website-is-not-secure-certificate-is-expired/m-p/521422#M108057 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/209095">@LuckyLau</a>,</P> <P>In addition to what&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/27580">@OtakarKlier</a>&nbsp;mentioned, when you're decrypting traffic you'll find that you have to manage certificates on the device a little bit for some providers. The firewall has a default list of trusted certificate authorities, but it doesn't trust everything that your browser will as an example. You might have to actually import the issuing CA certificates and mark them as trusted.&nbsp;</P> <P>&nbsp;</P> Wed, 16 Nov 2022 16:28:55 GMT https://live.paloaltonetworks.com/t5/general-topics/website-is-not-secure-certificate-is-expired/m-p/521422#M108057 BPry 2022-11-16T16:28:55Z https://live.paloaltonetworks.com/t5/general-topics/website-is-not-secure-certificate-is-expired/m-p/521448#M108061 <P>Hmmm... that is kind of an interesting failure... When connecting to zetta.net.au from behind the PA you get a certificate with a wildcard CN subject of "*.highway1.com.au" that expired Nov 5 2017 (hence the COMMON_NAME_INVALID error, it would also fail for certificate expiry). When connecting from a different ISP not behind a PA you get a certificate with a CN of "<A href="http://www.zetta.com.au" target="_blank">www.zetta.com.au</A>" and an alternate name of "zetta.com.au", which is signed by Lets Encrypt and has an expiry of Dec 17 2022.</P> <P>&nbsp;</P> <P>It looks like the server is giving out different certificates based on the client source and one of those certificates is expired/incorrect for the host. The certificate valid from/to dates should be passed thru the PA with decryption enabled, but the zetta.com.au certificate shows completely different dates. Checking another server I have that is signed by the exact same Lets Encrypt CA, both behind and separate from the PA show the exact same certificate dates and the Lets Encrypt signed cert decrypts behind the PA without issue. So it seems to not be a PA known CA authorities issue.</P> Wed, 16 Nov 2022 18:25:37 GMT https://live.paloaltonetworks.com/t5/general-topics/website-is-not-secure-certificate-is-expired/m-p/521448#M108061 Adrian_Jensen 2022-11-16T18:25:37Z https://live.paloaltonetworks.com/t5/general-topics/website-is-not-secure-certificate-is-expired/m-p/1204804#M122974 <P>Hi, would like to know how you get the issue resolved? Thank you.&nbsp;</P> Wed, 22 Jan 2025 05:59:10 GMT https://live.paloaltonetworks.com/t5/general-topics/website-is-not-secure-certificate-is-expired/m-p/1204804#M122974 SS_CHEW 2025-01-22T05:59:10Z