SEC_ERROR_REUSED_ISSUER_AND_SERIAL error when using Decrypt HTTPS websites using SSL/TLS in EAP using Firefox

I am seeing this error intermittently when browsing in Firefox on a device with SSL/TLS decryption of HTTPS websites enabled. I have the ImportEnterpriseRoots setting enabled in Firefox to import the Sophos root CA. Browsing will work for a period of time and I can see looking at the certificate chain that the root CA is a Sophos one so HTTPS Interception is working. However, after period of time (usually a few hours) any sites I browse to will generate the following error SEC_ERROR_REUSED_ISSUER_AND_SERIAL. If I close and reopen all browser windows, I am able to successfully browse to the same sites again.

Googling this error points to articles that mention that deleting the certificates or CAs that cause the issue but this is not sustainable when we look to roll this out to 500 users. https://support.mozilla.org/en-US/kb/Certificate-contains-the-same-serial-number-as-another-certificate

Looking at the certificate authority in Windows for the Sophos Endpoint, it looks to be generated today. Is it a case that the certificate is not a static certificate but is one that changes regularly and could this be causing this issue?

Parents
  • Is this only happening to your own domains, and do you happen to use a wildcard certificate? I have yet to check if I have the Enterprise Root Firefox GPO enabled, but this issue began happening to us yesterday on the two machines we currently have in the EAP. We needed to exempt our domain, as our subdomains for various services all use a wildcard certificate. However, the exemptions for IP addresses do not currently seem to work.

Reply
  • Is this only happening to your own domains, and do you happen to use a wildcard certificate? I have yet to check if I have the Enterprise Root Firefox GPO enabled, but this issue began happening to us yesterday on the two machines we currently have in the EAP. We needed to exempt our domain, as our subdomains for various services all use a wildcard certificate. However, the exemptions for IP addresses do not currently seem to work.

Children