cancel
Showing results for 
Search instead for 
Did you mean: 

Having to Update Certificate Whitelist for Trainline.com almost monthly ?

Hi Guys

So I have a certificate whitelist with a whole host of sites in there all of which work perfectly fine with the exception of www.thetrainline.com & www.sme.thetrainline.com

I don't have exact timings but around once sometimes twice a month our users see an error "Certificate verification failed" "The certificate verification failed in rule Block expired Server (7 Day Tolerance) and expired CA certificates"

If I log onto the gateway, head over to Certificate whitelist and select "fetch certificate from host" for the 2 train line entries i'm then good to go again for another 3 or 4 weeks even though the new certs have an expiry date of at least 6+ months

I was hoping someone could advise what s going on or point me in the right direction if i'm missing some config or setting somewhere ?

Thank you

Aaron

2 Replies
eelsasser
Level 15

Re: Having to Update Certificate Whitelist for Trainline.com almost monthly ?

Is your MWG using NTP to sync its clock? "Expired" certificates could also indicate the start date/time has not been reached yet.

That site just installed a new certificate last Friday. Maybe it was expired when you encountered the issue?

If it happens again, try to capture it using Rule tracing central. You should be able to get a value of what the MWG thinks the SSL.Server.Certificate.DaysExpired is when it occurs.

0 Kudos

Re: Having to Update Certificate Whitelist for Trainline.com almost monthly ?

I think they install a new cert on a regular basis (not sure why) as I say I have this issue a few times per month normally, how did you find out the cert was renewed ? sorry for asking noob questions but I'm not too familiar with certs etc etc.

0 Kudos