Why websites are getting flagged for invalid certificates

We’ve been flooded with calls today that web sites aren’t loading correctly, and there’s a common smoking gun – they are all websites that leverage a certificate from the company Let’s Encrypt.

If you’ve attended the Security Awareness Trainings run by Suite3 President Dave DelVecchio, you may recall the discussion of the difference between an “HTTP” website and an “HTTPS” website. When you go to a site that starts HTTPS, it means the web host has bought a certificate and applied it as a sort of digital signature to signal to those that visit the site that the site is in fact owned by the organization, and creates an encrypted connection so that data between the web browser and the site is fully encrypted.

However, starting on 9/30/21, Let’s Encrypt changed their root certificate and older devices started receiving certificate warnings and blocking connections. If you want to dive into the technical deep end, check out the following article: https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/

For many of our clients, their network firewall inspects certificates for validity and to learn the domain so it can determine the course of action in the web filtering as well as other threat management actions. As a result, we’ve been modifying firewall configurations to allow connections temporarily until a permanent fix for this certificate issue is available.

Back in June, we discussed how a firewall should no longer be thought of as a physical device, but rather is a security service that required regular updates. This is yet another demonstration of why centralized firewall management is a critical component of an overall security and support approach.