This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Invalid Certificate Error

 Hello,

Recently we have been running in to issues where users are unable to access websites that were previously available to them. The error they are receiving is NET:ERR_CERT_AUTHROITY_INVALID. This started shortly after we upgrade from Chrome 58 to 63. We originally thought the jump in version was to blame, but after rolling back we are still having the same issue. The issue is also present in Internet Explorer. It seems to be flagging random websites such as Facebook, CNN, and other HTTPS enabled sites but it is totally random. Users are reporting the certificate issue in the morning but if they wait for a while it may or not load the page a few minutes later. The sites are not consistent either. Some users have never had the issue and others have it every day. The certificate it is pointing to is the Signing CA under Filtering Options > HTTPS CAs. We are not using decrypt and scan, however the browsers are using our Signing CA as the certificate for valid websites. When the pages finally load they show the proper certificate. We do use a proxy on all of our computers that go through the UTM.

At the request of Sophos tech support we downloaded the certificate from our UTM and pushed it to all users via GPO but that did not make a difference. It is my understanding that we should only need to do that if we are using decrypt and scan. He also has me restart the appliances in an attempt to get them to resynch. I enabled and disabled Decrypt and Scan hoping it might trigger something in the system to stop scanning. This has been going on for over a week and the support tech we are using has not been able to resolve the issue so I was hoping somebody here may have seen and corrected this issue before. 

 

Thanks in advance,

Dustin



This thread was automatically locked due to age.
Parents
  • about this comment:

    "It is my understanding that we should only need to do that if we are using decrypt and scan."

    This is a common misconception.    The certificate is needed so that UTM can impersonate the target website.   This is obviously the case with decrypt-and-scan, but it is also necessary for UTM to display block and warn pages (for target URLs that were referenced using HTTPS).   So deploying the UTM Root certificate is really necessary for all implementations.

    The design alternative to block/warn pages would be for UTM to discard packets and let the user wait until the browser reported a timeout.   Users would find this frustrating and confusing.  The UTM approach is actually the best one.

    However, I have no idea why your results are inconsistent.

  • Thanks for your response. It looks like my case has been escalated all the way to the dev level within Sophos. Through packet captures they can see the authentication handshake happening but it appears that it is breaking down somewhere along the line. So for now we're guessing it has more to do with an authentication issue than a problem with the certificate itself.

Reply
  • Thanks for your response. It looks like my case has been escalated all the way to the dev level within Sophos. Through packet captures they can see the authentication handshake happening but it appears that it is breaking down somewhere along the line. So for now we're guessing it has more to do with an authentication issue than a problem with the certificate itself.

Children
No Data