NET::ERR_CERT_SYMANTEC_LEGACY

Summary

Getting certificate error even when CA signed certificate imported to ZD/SZ

Question

Why I am getting NET::ERR_CERT_SYMANTEC_LEGACY or MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONTRAINT_FAILED even when my controller has a CA signed certificate?

Customer Environment

Any Ruckus controller with a CA signed certificate issued before 1 June 2016.

Root Cause

From Google Chrome version 66 and Firefox 60 onward, support for legacy Symantec certificates (certificates issued before 1 June 2016) will be suspended due to a number of issues. If your site uses one of these certificates this will result in the site not having the green lock and a warning being shown to your visitors. This affects certificates from the following providers as well, as they are (former) sub-companies/partners of Symantec: Thawte, VeriSign, Equifax, GeoTrust and RapidSSL.

Troubleshooting Steps

How to check if your site uses a legacy Symantec certificate

We still see these certificates in use on a lot of sites. The Chrome update 66 is scheduled for April 2018, Firefox will show a warning from version 60 onwards which is scheduled for release in May 2018. There isn’t much time left to upgrade these certificates. You can check if your site is using one of these certificates by doing the following in Google Chrome:

  1. Go to your website
  2. Right-click on the page and click ‘inspect’
  3. In the developer console that opens, click on the ‘console’ tab

Any errors related to your website and certificate will be shown here. If the website uses a legacy Symantec certificate you will see the following warning in the Google Chrome developer console:

Symantec legacy certificate warning in developer console
 

Having a Symantec certificate after the Google Chrome update will result in the following warning: NET::ERR_CERT_SYMANTEC_LEGACY. For Firefox users the warning will be MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONTRAINT_FAILED.

The warning will look like this and will require users to manually bypass it before they can visit the site:

Symantec legacy certificate warning

For more information from Google about this issue see https://security.googleblog.com/2018/03/distrust-of-symantec-pki-immediate.html. Mozilla has written a blog for Firefox as well here: https://blog.mozilla.org/security/2018/03/12/distrust-symantec-tls-certificates/

Workaround

No workaround available.

Resolution

What to do when your site uses a legacy Symantec certificate?

We strongly advise to check if your site uses one of these certificates. If your site uses a certificate like this we recommend to contact your hosting provider so they can fix it by updating the certificate.
 

Article Number:
000007790

Updated:
April 07, 2021 09:17 AM (over 3 years ago)

Tags:
Firmware, Known Issues and Workarounds, ZoneDirector, SmartCell Gateway

Votes:
2

This article is:
helpful
not helpful

Working...Please wait

This is here to prevent you from accidentally submitting twice.

The page will automatically refresh.

Alert!!

Close