Fixing TLS (MITM) Inspection Errors

We are contacting you because some users in your organisation are experiencing certificate errors when accessing our service.

This occurs due to a conflict between your network’s TLS inspection (man-in-the-middle decryption) feature and our site’s HSTS security policy.

Option 1 – Preferred Solution

Please configure your firewall or web proxy to exclude our root domain and all its subdomains from TLS inspection (also known as an “allow list” or “TLS bypass” list).
Add the following domains to your TLS inspection exclusion list:

• chemwatch.net

• *.chemwatch.net (we keep introducing new subdomains for our SaaS services)

This is the standard industry practice for trusted SaaS applications, ensuring uninterrupted access for your users.

Option 2 – Alternative Solution

If TLS exclusion is not possible, your appliance must trust the issuing Certificate Authorities (CAs) of our public certificate:

1. Obtain the full certificate chain – Retrieve the server certificate and intermediates by inspecting our site (https://chemwatch.net) from a network without TLS inspection, or use an online tool such as SSL Labs Server Test.

2. Import Intermediate CA certificates – Import the Intermediate CA(s) into the trusted store of your firewall or proxy. (Most appliances already trust the Root CA, so in most cases only the intermediates are required.)

3. Refresh services and verify – Restart or refresh the TLS inspection service on your appliance. Then, test access  https://chemwatch.net from an inspected network. End-users may also need to clear their browser cache. Chemwatch SaaS uses the same public certificate as our public website. 

Next Steps:
Please implement one of the options listed above. If you require assistance, consult your firewall/proxy vendor’s documentation (e.g., Palo Alto Networks, Fortinet, Cisco) or contact their support.

Thanks and regards,

Victor