Issued: Nov 1st, 2021
Several weeks ago, Contrast announced a move to a static list of IP addresses for all Contrast SaaS Instances and moved to ‘Let’s Encrypt’ as our certificate authority. Post-migration, several customers reported issues with agents appearing offline because of issues with this certificate authority.
To prevent further issues until a new and more universally trusted certificate authority is selected, Contrast rolled back the changes to the majority of Contrast SaaS Instances on Thursday, October 14th.
Upon further investigation, the Contrast team has decided on the use of GlobalSign as our new certificate authority due to its more universal trust. Migration to GlobalSign is scheduled for Monday, Nov 15, 2021.
How Do I Know if I Need to Update my Certificate Authority:
- If you’ve had to add a Contrast certification to work with Contrast before
- If you modified the trust store on systems to remove certification authorities
Details about the GlobalSign root certificate can be found here.
Please reach out to your Application, Infrastructure or Network teams for additional details on whether an updated certificate is required.
As a Reminder:
If it is necessary to add an IP-based rule to your firewall in order to allow traffic to reach the Contrast SaaS system, you will need to add the new IP addresses to your edge firewalls. For a further list of new IPs as well as any other applicable technical details, click here.
If no firewall rule was required, or your firewall is bound to the relevant Contrast SaaS DNS entry, then no action needs to be taken.
If you are receiving this notice and a firewall rule is required, there are several steps you may need to take to prepare for the change:
- Open the IP Range, found here.
- If applicable, update the certificate authorities, GlobalSign, as described above.
- Please DO NOT remove the AWS IP Range until Contrast has confirmed all traffic is passing through the new routing as expected.