I don't have exact timings but around once sometimes twice a month our users see an error "Certificate verification failed" "The certificate verification failed in rule Block expired Server (7 Day Tolerance) and expired CA certificates"
If I log onto the gateway, head over to Certificate whitelist and select "fetch certificate from host" for the 2 train line entries i'm then good to go again for another 3 or 4 weeks even though the new certs have an expiry date of at least 6+ months
I was hoping someone could advise what s going on or point me in the right direction if i'm missing some config or setting somewhere ?
Is your MWG using NTP to sync its clock? "Expired" certificates could also indicate the start date/time has not been reached yet.
That site just installed a new certificate last Friday. Maybe it was expired when you encountered the issue?
If it happens again, try to capture it using Rule tracing central. You should be able to get a value of what the MWG thinks the SSL.Server.Certificate.DaysExpired is when it occurs.
I think they install a new cert on a regular basis (not sure why) as I say I have this issue a few times per month normally, how did you find out the cert was renewed ? sorry for asking noob questions but I'm not too familiar with certs etc etc.