Field Notice: FN - 72557 - Cisco Secure Email Gateway: Update Needed to Certificate Authority Trust Store to Avoid Failure of Cisco Aggregator Service - Software Upgrade Recommended

Available Languages

Updated:April 11, 2023
Document ID:FN72557

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Notice

THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.

Revision History

Revision Publish Date Comments
1.0
04-Apr-23
Initial Release

Products Affected

Affected OS Type Affected Software Product Affected Release Affected Release Number Comments
NON-IOS
AsyncOS for Secure Email
11
11.0.0, 11.0.3, 11.1.0
NON-IOS
AsyncOS for Secure Email
12
12.0.0, 12.1.0, 12.5.0, 12.5.3
NON-IOS
AsyncOS for Secure Email
13
13.0.5, 13.5.1, 13.5.3
NON-IOS
AsyncOS for Secure Email
14
14.0.0, 14.2.0

Defect Information

Defect ID Headline
CSCwc95269 ESA : Unable to connect to the Cisco Aggregator Server

Problem Description

The internal Certificate Authority (CA) trust store used by the Cisco Aggregator (Click Tracking) service does not include the root CA IdenTrust Commercial Root CA 1. Due to this, any Secure Email Gateway (ESA) that runs an impacted version of AsyncOS will lose Click Tracking functionality once the existing https://aggregator.cisco.com/ certificate has expired and is renewed using the IdenTrust Commercial Root CA 1 root CA.

Background

For enhanced security, the certificate supplied to https://aggregator.cisco.com/ will be renewed using a CA of HydrantID Server CA O1, which is then further issued by the root CA IdenTrust Commercial Root CA 1. The current DigiCert certificate will expire in February 2024, and customers who utilize Click Tracking will be required to upgrade to a fixed AsyncOS release before this time in order to avoid disruption to their service.

Problem Symptom

This alert will be seen:

Unable to connect to the Cisco Aggregator Server.
Details: (60, 'SSL certificate problem: unable to get local issuer certificate'

In addition to the alert, the same message can be observed within the cloud_connector logs:

An error occurred when fetching the URL click track record data from the Cisco Aggregator Server: (60, 'SSL certificate problem: unable to get local issuer certificate')

Workaround/Solution

In order to resolve this issue, upgrade to one of these fixed AsyncOS versions:

  • 14.2.2-004 or later
  • 14.3.0-020 or later

Customers who currently use or plan to use a FIPS-compliant AsyncOS version should upgrade to 14.2.2. Customers who require FIPS certification should upgrade to 15.0, which is tentatively scheduled to be released in April of 2023.

For More Information

If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:

Receive Email Notification For New Field Notices

My Notifications—Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.

Was this Document Helpful?

FeedbackFeedback

Contact Cisco

This Document Applies to These Products