SSL certificate not trusted by older devices

[felix-hoc]

Hi, it seems the updated SSL certificate is not trusted by a lot of older devices. This seems to be because the Sectigo root CA is not included there. Unfortunately updates to root CAs on devices are very limited.

Example from a Macbook Pro 2017, Safari 18.6 (latest):

This also affects other devices such as TVs, where it is not possible to modify the trusted root CAs.

I just wanted to raise awareness and get your thoughts on whether this is something that will get fixed or not. Thanks!

[wasp898]

@nipuni-axinom @Nimasha-axinom @AxinomSupport apologies for the ping... is there any feedback you can share here? 🙏

[nipuni-axinom]

Thanks for flagging this! We recently renewed using a Sectigo chain. The new Sectigo public roots are trusted by current Apple/Microsoft/Google/Mozilla platforms, but some legacy/embedded devices and environments with frozen trust stores can show trust errors until they update.
We’ll review the chain we serve to ensure all intermediates are included and prefer the cross-signed R46/USERTrust path where possible. If we see broader impact—especially on TVs—we’ll stand up an alternate hostname on a different root for maximum compatibility. Thanks for the report, and if you can share the exact OS version on that Mac, that would help us reproduce.

[felix-hoc]

Thanks for the update, and for looking into this!

if you can share the exact OS version on that Mac, that would help us reproduce.

Sure thing - this was MacOS Ventura 13.7.7

[wasp898]

We are seeing impact on most Samsung and LG TVs (both older and newer), and also on PS5 and Safari 16.

[MikeKav]

Hi

I found that https://whatsmychaincert.com/?media.axprod.net, reports some form of misconfiguration. Possibly intermediate changes could fix this...

However this Sectigo change is causing all Sony TV's 2025 to 2015 to report GET https://media.axprod.net/TestVectors/v7-MultiDRM-SingleKey/Manifest_1080p.mpd net::ERR_CERT_AUTHORITY_INVALID

I have not confirmed yet but I think this might also be impacting YouView Set Top Boxes for Humax, Vantiva and Sagemcom. Will try to confirm asap

[MikeKav]

Hi,

Testing was quicker than thought, I can confirm that the YouView set top boxes are failing with:
[Error] Failed to load resource: Unacceptable TLS certificate (Manifest_1080p.mpd, line 0)

[nipuni-axinom]

Hi,

@felix-hoc @wasp898 @MikeKav Could you please test it again and let us know the outcome?

[felix-hoc]

Hi @nipuni-axinom , I don't see any changes unfortunately - neither on Mac/Safari, nor on TVs :(

[MikeKav]

HI @nipuni-axinom , sorry but no change on Sagemcom STB: [Error] Failed to load resource: Unacceptable TLS certificate ((https://media.axprod.net/TestVectors/v9-MultiFormat/Clear/Manifest_1080p.mpd)

[nipuni-axinom]

Hi @felix-hoc @wasp898 @MikeKav ,

We deployed a fix last week. Please check if everything works fine.

[wasp898]

@nipuni-axinom still no change as far as I can see. The same devices fail just like before.

EDIT: actually, scratch that... the issue seems to no longer occur on Safari 16, but still happens on TVs and PS5.

[MikeKav]

I didn't have time to test all models. However still no success on the Sagemcom STB devices