Sophos SSL VPN client error=unable to get local issuer certificate

Hello

when i try to use a valid Comodo PositiveSSL Wildcard certificate for a remote VPN access to UTM 9 (9.355-1) the Sophos client give this error :

Tue Mar 15 12:36:34 2016 VERIFY ERROR: depth=1, error=unable to get local issuer certificate: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA
Tue Mar 15 12:36:34 2016 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Tue Mar 15 12:36:34 2016 TLS Error: TLS object -> incoming plaintext read error
Tue Mar 15 12:36:34 2016 TLS Error: TLS handshake failed

The Cert + CA chain is installed and used into webadmin and portal without any issue.

If i use the default local X509 Cert for SSL remote access the issue disappears (self signed cert).

Seem that the local ca cert downloaded from user portal doesn't contain all CA chain,

Any idea?

Thank you

9.355-1
  • Hi, Michele, and welcome to the UTM Community!

    With the SSL VPN, the cert selected on the 'Advanced' tab must be issued using the same VPN Signing CA as the user cert.  It's not straightforward to replace the UTM's VPN Signing CA with Comodo's CA + Intermediate CA, so your best bet is indeed to use the "Local X509 Cert."

    Cheers - Bob

  • In reply to BAlfson:

    Michelle and Bob,

    Michelle thanks for asking this question. Bob, thank you for suggestion.

    Joel

  • Same problem with comodo ca and ssl vpn certification verify failed.

    unfortunately if I set the local x509 I still get the certification error.

    any ideas?

    thanks

  • In reply to Andrea Clerici:

    Ciao Andrea and welcome to the UTM Community!

    The Server certificate selected on the 'Advanced' tab must have been generated using the same CA as the User (client) certificate.  Was that your problem?

    Cheers - Bob

  • In reply to BAlfson:

    Problem solved.

    I confirm that the problem was that the certificate i used to create the user has expired and since i change it was not able to connect.

    I set the local x509 certificate back and recreated the user,  now connection is back.

    Thank you Bob

    BAlfson
    Ciao Andrea and welcome to the UTM Community!

    The Server certificate selected on the 'Advanced' tab must have been generated using the same CA as the User (client) certificate.  Was that your problem?

    Cheers - Bob