Several different customers have been affected by this. The version of OpenSSL in the mac client is very strict and will not accept an expired root even if it cross-signed by another unexpired root. That's what we can conclude from our findings. This CA Root is used in Windows IIS server and is served to OpenSSL as part of the authentication chain.
Here is a link to the official article which also gives more details on how this all works.
If you have this issue, it is because this CA Root is still being used in your server and the mac client is still getting this expired cert in the authentication chain when trying to connect. This chain needs to change to have the USERtrust cert as the CA Root or last cert in the path. More info on this is explained in the article above. Here is a picture of how the certification path was and needs to be now.
2. How to check the issue with the mac client
The mac client itself has a command you can use to test if the certificate chain path is good or not. Open the terminal and run the command below as it is in one line. Just replace ACCESSURL with your access point URL to test this.
/usr/local/cstack/bin/openssl s_client -CAfile /usr/local/cstack/certs/cacert.pem -connect ACCESSURL:443
After running the command, you will see a your certification path. Below are example screenshots of the certification path before May 30, 2020 using the command.
Here is how it should be on and after May 30, 2020.
Here is the final result of the command.
In the last line, you will see the return code which is 10 for an expired certificate and 0 if everything is good.
The solution to this varies, some customers have had success with a system restart because the IIS server needs a restart to update certificate paths. Others contacted their SSL vendors who issued their SSL certificate to re-issue a new SSL certificate signed by an un-expired root, most likely signed directly by USERTrust as a root. These are the results we have found so far.
4. How to check your server certificates
You can check your certificates in your server with the following steps:
1. Search for MMC in your start menu and run the executable
2. Click 'File' –> 'Add/Remove Snap-in...'
3. Select the Snap-in 'Certificates' then click 'Add' as seen below
4. Select 'Computer account' then click 'Next'
5. Select 'Local computer' then click 'Finish'
6. Close the Snap-in screen by clicking 'OK' at the bottom right of the screen
7. Expand the 'Trusted Root Certification Authorities' followed by 'Certificates' as seen below:
8. Here you will see the expired certificate.
Send us a ticket if you have any questions.
Please sign in to leave a comment.