This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

No longer updating - SSL Cert not trusted?

I have been making a switch on my home network from Avast to Sophos since I'm using the Sophos UTM 9 and it includes enough licenses for me to cover all my systems. I was testing and everything seemed fine, but today I noticed that update's weren't working on any systems when I was checking on status in the UTM after installing on a new system. I got a message about the new install not being able to register. So I've been searching online and trying to troublehoot, and I suspect I've found the issue? The SSL Cert on *.broker.sophos.com isn't trusted by any of my systems. Any time I try to update

 

Attaching screen shots for reference

 

 

Here's some log info:

SophosUpdate.log -
2017-11-25T17:27:42.079Z [ 5092] INFO  WinMain =========================
2017-11-25T17:27:42.079Z [ 5092] INFO  WinMain SophosUpdate is starting.
2017-11-25T17:27:42.079Z [ 5092] INFO  WinMain AutoUpdate version      : 5.1.1.1
2017-11-25T17:27:42.079Z [ 5092] INFO  WinMain SophosUpdate version    : 5.1.1.1
2017-11-25T17:27:42.080Z [ 5092] INFO  WinMain Build                   : 100004
2017-11-25T17:27:42.080Z [ 5092] INFO  WinMain =========================
2017-11-25T17:27:42.080Z [ 5092] INFO  Environment::Print Platform ID: WIN_10_X64
2017-11-25T17:27:42.080Z [ 5092] INFO  Environment::Print Platform upgraded:0
2017-11-25T17:27:42.080Z [ 5092] INFO  Environment::Print Subscription: cd2a5386-f08c-42b1-8d98-{OMITTED FOR PUBLIC UPLOAD BY ME} RECOMMENDED 1
2017-11-25T17:27:42.080Z [ 5092] INFO  Environment::Print Features:
2017-11-25T17:27:42.080Z [ 5092] INFO  WinMain Set process security
2017-11-25T17:27:42.080Z [ 5092] INFO  WinMain Initialise COM.
2017-11-25T17:27:42.080Z [ 5092] INFO  WinMain Load config.
2017-11-25T17:27:42.081Z [ 5092] INFO  `anonymous-namespace'::ReadFileContents Slurping file of size 930 bytes.
2017-11-25T17:27:42.081Z [ 5092] INFO  WinMain Create registry reporter.
2017-11-25T17:27:42.081Z [ 5092] INFO  WinMain Create platform reporter.
2017-11-25T17:27:42.082Z [ 5092] INFO  WinMain Load state.
2017-11-25T17:27:42.082Z [ 5092] INFO  StatePersister::Load Loading state file C:\ProgramData\Sophos\AutoUpdate\data\status\SophosUpdateStatus.xml
2017-11-25T17:27:42.082Z [ 5092] INFO  WinMain Create progress reporter.
2017-11-25T17:27:42.095Z [ 5092] INFO  WinMain Create language neutral logger.
2017-11-25T17:27:42.095Z [ 5092] INFO  WinMain Create downloader.
2017-11-25T17:27:42.095Z [ 5092] INFO  WinMain Create installer.
2017-11-25T17:27:42.096Z [ 5092] INFO  WinMain Create adapter writer.
2017-11-25T17:27:42.096Z [ 5092] INFO  IPCBase::IPCBase IPCBase::IPCBase: Connected to shared memory A32951C539924a12B3C8F2FDA5A268E4
2017-11-25T17:27:42.096Z [ 5092] INFO  WinMain Create completion reporter.
2017-11-25T17:27:42.096Z [ 3200] INFO  `anonymous-namespace'::SenderThreadFn::operator() Sender thread started.
2017-11-25T17:27:42.096Z [ 5092] INFO  WinMain Create update logic.
2017-11-25T17:27:42.096Z [ 3200] INFO  IPCSender::ProcessSend IPCSender::ProcessSend started
2017-11-25T17:27:42.096Z [ 3200] INFO  IPCSender::ProcessSend IPCSender::ProcessSend: No messages in queue, starting to wait
2017-11-25T17:27:42.096Z [ 5092] INFO  WinMain Performing update.
2017-11-25T17:27:42.096Z [ 5092] INFO  UpdateLogic::Update Reporting update start.
2017-11-25T17:27:42.097Z [ 5092] INFO  IPCSender::Write IPCSender::Write: Writing message: <?xml version="1.0" encoding="utf-8" ?><Config type="RMSStartUpdate" />
2017-11-25T17:27:42.097Z [ 3200] INFO  IPCSender::ProcessSend IPCSender::ProcessSend: Send message: <?xml version="1.0" encoding="utf-8" ?><Config type="RMSStartUpdate" />
2017-11-25T17:27:42.097Z [ 3200] INFO  IPCSender::ProcessSend IPCSender::ProcessSend: No messages in queue, starting to wait
2017-11-25T17:27:42.128Z [ 5092] INFO  UpdateLogic::SyncAndInstall Syncing products.
2017-11-25T17:27:42.128Z [ 5092] INFO  SDDSDownloader::SyncInternal Adding Sophos Location: dci.sophosupd.com/cloudupdate
2017-11-25T17:27:42.128Z [ 5092] INFO  SDDSDownloader::SyncInternal Adding Sophos Location: dci.sophosupd.net/cloudupdate
2017-11-25T17:27:42.129Z [ 5092] INFO  SDDSDownloader::SyncInternal Username: {OMITTED FOR PUBLIC UPLOAD BY ME}
2017-11-25T17:27:42.130Z [ 5092] INFO  SDDSDownloader::SyncInternal No manually configured proxy.
2017-11-25T17:27:42.130Z [ 5092] INFO  WindowsProxyDiscoveryWrapper::GetDefaultProxyConfiguration WinHttp default proxy not set
2017-11-25T17:27:42.138Z [ 5092] WARN  WindowsProxyDiscoveryWrapper::GetProxyForUrl Failed to get the automatic proxy configuration. The error code was 12180.
2017-11-25T17:27:44.549Z [ 5092] ERROR SDDSDownloader::ReportSyncFailure Failed to read remote metadata.
2017-11-25T17:27:44.550Z [ 5092] INFO  UpdateLogic::SyncAndInstall Saving state.
2017-11-25T17:27:44.551Z [ 5092] INFO  StatePersister::Save Overwriting state file C:\ProgramData\Sophos\AutoUpdate\data\status\SophosUpdateStatus.xml
2017-11-25T17:27:44.552Z [ 5092] INFO  UpdateLogic::SyncAndInstall Skipping product install as Sync failed.
2017-11-25T17:27:45.575Z [ 5092] INFO  IPCSender::Write IPCSender::Write: Writing message: <?xml version="1.0" encoding="utf-8" ?><Config type="RMSEndUpdate"><ErrorMessage><ID>SDDSDownloadFailed</ID><StringID>107</StringID><Sender>SophosUpdate</Sender><Insert>cd2a5386-f08c-42b1-8d98-40240059e361</Insert><Insert>dci.sophosupd.com/.../ErrorMessage><ReadableMessage>ERROR:   Download of cd2a5386-f08c-42b1-8d98-40240059e361 failed from server dci.sophosupd.com/.../Config>
2017-11-25T17:27:45.575Z [ 5092] INFO  WinMain SophosUpdate has completed with the result 0.
2017-11-25T17:27:45.575Z [ 3200] INFO  IPCSender::ProcessSend IPCSender::ProcessSend: Send message: <?xml version="1.0" encoding="utf-8" ?><Config type="RMSEndUpdate"><ErrorMessage><ID>SDDSDownloadFailed</ID><StringID>107</StringID><Sender>SophosUpdate</Sender><Insert>cd2a5386-f08c-42b1-8d98-40240059e361</Insert><Insert>dci.sophosupd.com/.../ErrorMessage><ReadableMessage>ERROR:   Download of cd2a5386-f08c-42b1-8d98-40240059e361 failed from server dci.sophosupd.com/.../Config>
2017-11-25T17:27:45.575Z [ 3200] INFO  IPCSender::ProcessSend IPCSender::ProcessSend: No messages in queue, starting to wait
2017-11-25T17:27:46.576Z [ 3200] INFO  IPCSender::ProcessSend IPCSender::ProcessSend exiting
2017-11-25T17:27:46.576Z [ 3200] INFO  `anonymous-namespace'::SenderThreadFn::operator() Sender thread finished.
2017-11-25T17:27:46.577Z [ 5092] INFO  StatePersister::Save Overwriting state file C:\ProgramData\Sophos\AutoUpdate\data\status\SophosUpdateStatus.xml

ACL.LOG

0x4 SophosUpdate 0x32 0x1a1c 0x1 0x6 0x3fd4 0x5a1998a2
0x4 Update 0x32 0x1a1c 0x1 0x6b 0x3fd4 0x5a1998a5 EndpointSecurityandControl Sophos
0x4 Update 0x32 0x1a1c 0x1 0x52 0x3fd4 0x5a1998a5
0x4 SophosUpdate 0x32 0x1a1c 0x1 0x7b 0x3fd4 0x5a1998a5
0x4 SophosUpdate 0x32 0x1188 0x1 0x6 0x3cc4 0x5a19990c
0x4 Update 0x32 0x1188 0x1 0x6b 0x3cc4 0x5a19990e EndpointSecurityandControl Sophos
0x4 Update 0x32 0x1188 0x1 0x52 0x3cc4 0x5a19990e
0x4 SophosUpdate 0x32 0x1188 0x1 0x7b 0x3cc4 0x5a19990e
0x4 SophosUpdate 0x32 0x2fa4 0x1 0x6 0x3484 0x5a19991d
0x4 Update 0x32 0x2fa4 0x1 0x6b 0x3484 0x5a19991f EndpointSecurityandControl Sophos
0x4 Update 0x32 0x2fa4 0x1 0x52 0x3484 0x5a19991f
0x4 SophosUpdate 0x32 0x2fa4 0x1 0x7b 0x3484 0x5a19991f
0x4 SophosUpdate 0x32 0x37d8 0x1 0x6 0x268 0x5a19a119
0x4 Update 0x32 0x37d8 0x1 0x6b 0x268 0x5a19a11c EndpointSecurityandControl Sophos
0x4 Update 0x32 0x37d8 0x1 0x52 0x268 0x5a19a11c
0x4 SophosUpdate 0x32 0x37d8 0x1 0x7b 0x268 0x5a19a11c
0x4 SophosUpdate 0x32 0x2ef4 0x1 0x6 0x13e4 0x5a19a80e
0x4 Update 0x32 0x2ef4 0x1 0x6b 0x13e4 0x5a19a810 EndpointSecurityandControl Sophos
0x4 Update 0x32 0x2ef4 0x1 0x52 0x13e4 0x5a19a810
0x4 SophosUpdate 0x32 0x2ef4 0x1 0x7b 0x13e4 0x5a19a810
0x4 SophosUpdate 0x32 0x137c 0x1 0x6 0x3f74 0x5a19a8eb
0x4 Update 0x32 0x137c 0x1 0x6b 0x3f74 0x5a19a8ed EndpointSecurityandControl Sophos
0x4 Update 0x32 0x137c 0x1 0x52 0x3f74 0x5a19a8ed
0x4 SophosUpdate 0x32 0x137c 0x1 0x7b 0x3f74 0x5a19a8ed

 

Here is a screen shot from a system that's been running for a while, it appears on the 15th something changed



This thread was automatically locked due to age.
Parents
  • Hi  

    Can you try installing the certificate manually?

    Download the certificate to your local machine

    1. Go to Certificates then click the Certificate Authorities tab and click on the download icon next to SecurityAppliance_SSL_CA under the Manage column to download the Certificate.
    2. The certificates SecurityAppliance_SSL_CA and SecurityApplianceSelfSignedCA are shipped with the device. Alternatively, administrators can also import their custom CA.
    3. Save this certificate in your local machine.

    Install the certificate in your web browser

    Internet Explorer

    1. In the Menu Bar, click Tools > Internet Options to display the Internet Options window.
    2. Switch to the Content tab and, under the Certificates section, click Certificates to display the Certificates Window.
    3. Switch to the Trusted Root Certification Authorities tab and click the Import button to start Certificate Import Wizard.
    4. Import the Certificate downloaded in step 1 using this wizard.


    Firefox

    1. In the Menu Bar, click Tools > Options to display the Options window.
    2. Switch to the Advanced tab and then select the Certificates tab.
    3. Click View Certificate to display the Certificate Manager window.
    4. Switch to the Authorities tab and click Import.
    5. Select the Certificate downloaded in step 1 and click Open.
    6. In the Downloading Certificate window, select Trust this CA to identify websites and click OK.


    Google Chrome

    1. To the right of the Address Bar, click on Customize and control Google Chrome button and click Settings.
    2. Click Show advanced settings and scroll down to HTTPS/SSL.
    3. Click Manage Certificates... to display the Certificates window.
    4. Switch to the Trusted Root Certification Authorities tab and click the Import button to start Certificate Import Wizard.
    5. Import the Certificate downloaded in step 1 using this wizard.


    Safari

    1. Download the SSL CA Certificate as shown in step 1.
    2. Once downloaded, double-click the Certificate. This launches Keychain Access and displays a Certificate Not Trusted warning.
    3. Click Always Trust to import the certificate into Login Keychain.

    Opera

    1. Click the Opera button on the top left corner of the screen and click Settings.
    2. Switch to the Privacy & Security tab.
    3. Under HTTPS/SSL, click Manage Certificates…to display the Certificates window.
    4. Switch to the Trusted Root Certification Authorities tab and click the Import button to start the Certificate Import Wizard.
    5. Import the Certificate downloaded in step 1 using this wizard.

     

    Install the Certificate in the local machine’s Trusted Root Authority container

    Windows

    1. Open the Microsoft Management Console by typing "MMC" in the "Run" box.
    2. Open Add or Remove Snap-ins by selecting FILE > ADD/REMOVE SNAP-IN...
    3. Select Certificates from the list and click Add to display the Certificates Snap-in window.
    4. Select the Computer Account and click Next.
    5. Click Finish and close the list of snap-ins.
    6. Click OK to add the certificates snap-in, which should now be visible in the Add/Remove Snap-ins window.
    7. Expand the list of certificate containers, right click Trusted Root Authorities and choose All Tasks > Import to start Certificate Import Wizard.
    8. Import the Certificate downloaded in step 2 using this wizard.


    Macintosh

    1. Download the SSL CA Certificate as shown in step 1.
    2. Once downloaded, double-click the Certificate. This launches Keychain Access and displays a Certificate Not Trusted warning.
    3. Click Always Trust to import the certificate into Login Keychain.

     

    Refer Sophos Firewall: SSL CA Certificate Installation Guide for additional details.

    Regards,

    Gowtham Mani
    Community Support Engineer | Sophos Technical Support

    Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

  • Thanks for the response Unfortunately that CA seems to be missing? I recently added a new * SSL cert, is it possible when I did this and changed it deleted something, as I know I personally didn't delete it.

Reply Children
  • Hi BC68, 

    Could you please check if there 2 certificates on the location c://programdata\sophos\certificates\Manag...... , it would seem the certificate should be stored under trusted root authorities as per the snapshot below. Remove the certificate from other locations. 

    Run > certmgr

    Regards,

    Aditya Patel
    Global Escalation Support Engineer | Sophos Technical Support

    Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

  • Hello - those two cert's are not in any of the systems I've checked, in any location.

  • OK, sorry I was traveling for work last week and didn't have the time, nor brain power to correctly decipher what you said, the 'c://programdata\sophos\certificates\Manag......' wasn't clear to me, but I got it figured out and followed the rest of the instructions. Unfortunately it didn't resolve the issue. It's entirely possible the SSL cert really isn't the issue, and that was a bad path I went down.

    I'm wondering if the issue is really the "User name and Password" that the agent is using for connecting to the update servers? Based on installing that above listed certs, and rebooting not resolving the issue I decided to do a complete uninstall, reboot and full install. Upon doing so I am getting this message:

     

    Just because I even disabled Windows Defender to see if it was causing an issue, and there is not change. I'm not able to update (or now register) the AV.