The only reason I think it's a chain issue from the sites host is if you check the website with a tool like https://whatsmychaincert.com/ it will report that the site is delivering an invalid chain but it implies that modern web browsers will transparently fix this issue for the end user.
... View more
Due to the recent expiration of the Sectigo RSA CA cert (https://support.sectigo.com/articles/Knowledge/Sectigo-AddTrust-External-CA-Root-Expiring-May-30-2020) and our Palo firewall SSL decryption policy configuration to block expired certificates we are noticing that any website that is publishing the old expired CA chain (for example netaoc.org.uk) is being blocked due to them publishing an expired cert. This is obviously working as expected however it's difficult for me to come into contact with each website hosting one of these invalid CA chains to get them to resolve the issue while our users experience issues and I manually exclude the sites from decryption. I of course could turn off expired certificate blocking however this something I would rather not do. I have noticed that web browsers like Chrome when not running through decryption are handling this issue just fine as they seem to look up the new correct CA certificate themselves and use that. Is there a way I can configure out Palo to act in the same way or am I stuck being reliant on the web admins of the individual sites to correct their chain issues?
... View more