Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 12 replies
  • Subscribers 8 subscribers
  • Views 26564 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Invalid Certificate Error

Dustin Southard

 Hello,

Recently we have been running in to issues where users are unable to access websites that were previously available to them. The error they are receiving is NET:ERR_CERT_AUTHROITY_INVALID. This started shortly after we upgrade from Chrome 58 to 63. We originally thought the jump in version was to blame, but after rolling back we are still having the same issue. The issue is also present in Internet Explorer. It seems to be flagging random websites such as Facebook, CNN, and other HTTPS enabled sites but it is totally random. Users are reporting the certificate issue in the morning but if they wait for a while it may or not load the page a few minutes later. The sites are not consistent either. Some users have never had the issue and others have it every day. The certificate it is pointing to is the Signing CA under Filtering Options > HTTPS CAs. We are not using decrypt and scan, however the browsers are using our Signing CA as the certificate for valid websites. When the pages finally load they show the proper certificate. We do use a proxy on all of our computers that go through the UTM.

At the request of Sophos tech support we downloaded the certificate from our UTM and pushed it to all users via GPO but that did not make a difference. It is my understanding that we should only need to do that if we are using decrypt and scan. He also has me restart the appliances in an attempt to get them to resynch. I enabled and disabled Decrypt and Scan hoping it might trigger something in the system to stop scanning. This has been going on for over a week and the support tech we are using has not been able to resolve the issue so I was hoping somebody here may have seen and corrected this issue before. 

 

Thanks in advance,

Dustin



This thread was automatically locked due to age.
  • 0

    about this comment:

    "It is my understanding that we should only need to do that if we are using decrypt and scan."

    This is a common misconception.    The certificate is needed so that UTM can impersonate the target website.   This is obviously the case with decrypt-and-scan, but it is also necessary for UTM to display block and warn pages (for target URLs that were referenced using HTTPS).   So deploying the UTM Root certificate is really necessary for all implementations.

    The design alternative to block/warn pages would be for UTM to discard packets and let the user wait until the browser reported a timeout.   Users would find this frustrating and confusing.  The UTM approach is actually the best one.

    However, I have no idea why your results are inconsistent.

  • 0

    Having an SSL certificate from the Certificate Authority (CA), which is not valid (self-signed), then Google Chrome will give the error NET::ERR_CERT_AUTHORITY_INVALID

    I would be tempted to remove the certificate and re add it again.  I use it in the same way, only for displaying the block pages on HTTPS connections (no HTTPS inspection enabled) and that is pushed out to our users via GPO.   Also is the cert a standard internal one or external, seen a similar error once with a missing field on a cert.

    Thanks, Duncan

  • 0 in reply to DouglasFoster

    Thanks for your response. It looks like my case has been escalated all the way to the dev level within Sophos. Through packet captures they can see the authentication handshake happening but it appears that it is breaking down somewhere along the line. So for now we're guessing it has more to do with an authentication issue than a problem with the certificate itself.

  • 0

    We've been having this problem for about a week now but when it started was very few people and random.  This week it's been everyone in the company and unless I turn off the 'Do not proxy HTTPs traffic in transparent mode', secure sites are failing in every case.  We've installed our cert on the UTM and had it assigned to be used for the signing CA for years, but now all of a sudden problems galore - and nothing has changed on the UTM outside of adding some site-site vpn setups.

  • 0 in reply to hgriffith

    Hey hgriffith.

    "This week it's been everyone in the company and unless I turn off the 'Do not proxy HTTPs traffic in transparent mode', secure sites are failing in every case"

    By "turn off" I take it that when you untick the box "Do not proxy HTTPs traffic in transparent mode", meaning you are proxying HTTPS, you don't have the issue. So, to be clear, when you DO proxy HTTPS through the proxy you DO NOT see the certificate error? 

    Regards,

    Giovani

  • 0 in reply to giomoda

    Apologies.  If I tick the box to bypass proxy, it works.  In other words if I don't proxy https it works.

  • 0 in reply to hgriffith

    Could you show us some screenshots of the error in Chrome, the information about the certificate at the client side and your HTTPS CA configuration from Web Protection?

    Regards,

    Giovani

  • 0 in reply to giomoda

    Yes, I'll upload those later today after most users leave for the day.  Don't want to interrupt their use while it's working.

  • 0 in reply to hgriffith

    You need to get certainty about what certificates Chrome is seeing.   Click through the warning to let the web page load, then use

    (menu)... More Tools... Developer Tools... >> (if Security tab is not visible)... Security (tab)... [View Certificates] (button)

    Probably the most important is the Certificate Path.  Click on each certificate to see if it says "Certificate is OK".   Click on the root certificate and choose the [View Certificate] button to see the properties window for the root.  Compare all of the details to the root certificate that you are expecting.     Also check the signature algorithm, expiration, and SAN names for each certificate.   

    Have you ever replaced your CA root?   I can imagine two possibilities if you did:   (a) UTM is sometimes sending the old root instead of the new one, and the solution would be for Support to scrub the old one out of the system.   (b) The client does not have the current root installed properly.

    Desparate times call for desparate measures.  Another option:

    If you have been running UTM for a long time and performing only incremental upgrades, you might consider rebuilding the system from the newest CD distribution, then restoring your configuration from a backup.   It ensures a clean configuration.   I was unhappily forced to do so when upgrading from 9.408 to 9.506, but was happy with the end result.   The process only took about an hour, much less than waiting for the individual patches to be applied.   I bypassed all of the bad versions, so I finished with a cleaner build with less space used than if the incremental process had worked correctly.

  • 0 in reply to DouglasFoster

    Update on this, but first some detail.  We have 27 SG's in production and all are for the most part configured identical.  So this was driving me crazy that only one unit was having this problem, but happen to be the one at HQ with 500 users.  Anyway, we have all of them set for Web Filtering with some policies, but on the HTTPS tab we're only doing 'URL filtering only'.  No decrypt and scan.  As far as I know since UTM 9.2, the UTM CA doesn't need to be installed on our machines for blocking of HTTPS sites.  I understand it won't catch the content and just block URLs but anyway...  I checked, double checked and tripled check all settings against a sister appliance to make sure I didn't accidentally change something - couldn't find any reason as to why it wasn't working.  The only difference was that the others had only been up for 7-30 days and this one had an uptime of 67 days.  Really shouldn't be a problem but I figured wth, let's reboot it.  ~Viola - starts working.  Go figure, the simplest option solves it.  Cannot tell you why, even looking at logs didn't show anything relevant.

    To answer DouglasFoster suggestions - since we were not using the decrypt and scan option, the CA Root issue didn't apply so I didn't do anything with that; and we have never imported the UTM CA into our machines manually or by GPO.  But I did check the cert that was being passed to the browser (Chrome, IE and Firefox all showed the error) and it was showing our Proxy CA as the cert.  Which is strange because it should not have being configured as I mentioned above.  So the UTM appeared to be acting like it was set for Decrypt and Scan, but it wasn't.

Unfiltered HTML