On February 28, 2022, at around 15:53 EST, Duo's Engineering Team was alerted by monitoring that customers with Cisco ASA LDAP integrations on DUO55 were unable to connect to Duo. The root cause was identified as a change to the root CA for a certificate used to verify connectivity between Cisco ASA devices and Duo's service.
The issue was resolved on the same day by restoring the previous trusted CA.
DUO55 (impacting only three customers)
Duo SRE had recently rolled out a renewed X509 certificate with a change in the certificate chain as part of the certificate renewal process. There was an update in the root CA that Digicert uses to sign the new certificate request. The previous certificate was based on "CN=DigiCert High Assurance EV Root CA" while the new certificate was based on "CN=DigiCert Global Root CA". If the new root CA was missing in the trusted certificates pool relied on by ASA devices, then communication would fail with the LDAP endpoint.
After discovering the change in root CA, Duo updated public documentation (KB article) to reflect the new structure of the certificate chain.
As a short-term solution, Duo rolled back to the previous certificate signed by DigiCert High Assurance EV Root CA, which resolved connectivity issues. Duo is working to reissue the certificate so that it continues to work with the original root CA, in this case, DigiCert High Assurance EV Root CA, rather than the Global Root CA.
This incident was limited to three customers.
Note: You can find your Duo deployment’s ID and sign up for updates via the StatusPage by following the instructions in this knowledge base article.