-
Type: Bug
-
Resolution: Cannot Reproduce
-
Priority: Critical - P2
-
None
-
Affects Version/s: None
-
Component/s: None
-
Labels:None
Description
A few weeks ago, one of the major SSL root certificates expired. Serving an expired root certificate raises an SSL error in some HTTP clients (but not in most browsers). For example in the latest MacOS Catalina:
curl https://docs.mongodb.com/
#Error SSL certificate problem: certificate has expired
Note that it is not the docs.mongodb.com cert that has expired, but one of the intermediate certificates that your server is sending in the SSL chain.
The solution is simple: edit your webserver conf to remove the expired CA cert from the bundle. You don't need to replace it with anything, because all clients trust this vendor by default in their own CA bundle.
For more info see here: https://support.sectigo.com/articles/Knowledge/Sectigo-AddTrust-External-CA-Root-Expiring-May-30-2020