Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 9 replies
  • Subscribers 6 subscribers
  • Views 10159 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

https host not found zertifikat error

Rorscha

Guten Tag meine Damen und Herren,

bitte entschuldigen Sie falls diese Frage unnötig ist, jedoch habe ich daran herum gewerkelt und komme zu keinem Ergebniss.

Ich habe das Root-Zertifikat unserer Windows PKI in Web Protection -> Filteroptionen -> HTTPS-CAs hochgeladen.

Somit werden auch die automatisch generierten Websites Zertifiziert. Jedoch aber nur geblockte Seiten also "https://www.verboteneseite.de" oder "http://www.verboteneseite.de"

So funktioniert es auch bei http Seiten die nicht gefunden werden wie "http://www.hirn.de".

Sobald ich aber versuche "https://www.hirn.de" aufzurufen ("www.hirn.de" ist nicht findbar) bei komme ich von meinem Browser eine Zertifikats Warnung.

Natürlich habe ich mir dieses angesehen und mit den anderen verglichen, aber für mein ungeschultes Auge sehen diese erstmal gleich aus.

Die Sophos wirft mir das ins log:

utm-sophos httpproxy[11646]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="CONNECT" srcip="172.16.240.10" dstip="" user="user" group="u_group" ad_domain="domain" statuscode="502" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_HttCffSchler (u_group)" size="0" request="0xc74c2600" url="https://www.hirn.de/" referer="" error="Host not found" authtime="39" dnstime="83115" cattime="47604" avscantime="0" fullreqtime="359561" device="1" auth="2" ua="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" exceptions="" category="9998" reputation="unverified" categoryname="Uncategorized"

 

Über hilfe würde ich mich sehr freuen.

MfG

Rorscha



This thread was automatically locked due to age.
Parents
  • 0

    I also just noticed from your original post that the browser was Firefox.   Firefox does not use the system certificate store, it maintains one for each user.   if the user logs into Firefox, this certificate can move with them from one computer to the next.   You need to get the UTM root certificate into each user's certificate store.   PolicyPak is an extra-cost product, but it is the easiest way of getting this done.

    I think Firefox has plans to allow use of the system certificate store, but it would still be a user-specific configuration step to turn this mode on.  Last I remember it did not seem to be an available feature.

    You can also get certificate errors in the browser simply because the remote server is not configured correctly

    To review different configuration scenarios, and their requirements:

    • HTTPS Inspection OFF, https-enabled web page is blocked or warned by UTM:
         UTM Web Proxy Root certificate must be distributed to desktop devices

    • HTTPS Inspection ON, any https-enabled web page is handled by UTM:
        UTM Web Proxy Root certificate must be distributed to desktop devices.

    • HTTPS Inspection OFF, UTM Allows the web  page but the remote server has a certificate error:
         Browser will display a warning page.   Some browsers will allow user to override, some will not.  UTM is not involved

    • HTTPS Inspection ON, remote server certificate error, no exception configured:
         UTM will display a certificate block page, with an option for override (Admin credentials required)

    • HTTPS Inspection ON, remote server certificate error, certificate exception configured:   
         UTM will ignore the certificate problem, user will not be aware of the problem because the page will display normally.

     

    Some related issues:

    • Chrome has a feature to attempt HTTPS whenever possible, and there a lot of cloud-hosted servers that have HTTP/443 enabled even though the site was never intended to be used for https.   These will of course cause a certificate error.   Using a different browser might allow you to use the site in http mode.   I do not know how to change Chrome behavior, other than a Chrome extension that I have seen advertised but never used and cannot recommend.

    • Some server owners forget to install the intermediate certificate along with the identity certificate.   Browsers will work around the error, but UTM with HTTPS inspection does not implement the workaround.   The best solution is to obtain the intermediate certificate and load it into UTM as a root certificate.

    • SSLLABS.com has a comprehensive tool for testing whether a remote server has https configured correctly and securely.   Most certificate vendors have a tool as well, usually these are simpler and quicker.   I always use one of these tools before creating an exception for a certificate problem.
Reply
  • 0

    I also just noticed from your original post that the browser was Firefox.   Firefox does not use the system certificate store, it maintains one for each user.   if the user logs into Firefox, this certificate can move with them from one computer to the next.   You need to get the UTM root certificate into each user's certificate store.   PolicyPak is an extra-cost product, but it is the easiest way of getting this done.

    I think Firefox has plans to allow use of the system certificate store, but it would still be a user-specific configuration step to turn this mode on.  Last I remember it did not seem to be an available feature.

    You can also get certificate errors in the browser simply because the remote server is not configured correctly

    To review different configuration scenarios, and their requirements:

    • HTTPS Inspection OFF, https-enabled web page is blocked or warned by UTM:
         UTM Web Proxy Root certificate must be distributed to desktop devices

    • HTTPS Inspection ON, any https-enabled web page is handled by UTM:
        UTM Web Proxy Root certificate must be distributed to desktop devices.

    • HTTPS Inspection OFF, UTM Allows the web  page but the remote server has a certificate error:
         Browser will display a warning page.   Some browsers will allow user to override, some will not.  UTM is not involved

    • HTTPS Inspection ON, remote server certificate error, no exception configured:
         UTM will display a certificate block page, with an option for override (Admin credentials required)

    • HTTPS Inspection ON, remote server certificate error, certificate exception configured:   
         UTM will ignore the certificate problem, user will not be aware of the problem because the page will display normally.

     

    Some related issues:

    • Chrome has a feature to attempt HTTPS whenever possible, and there a lot of cloud-hosted servers that have HTTP/443 enabled even though the site was never intended to be used for https.   These will of course cause a certificate error.   Using a different browser might allow you to use the site in http mode.   I do not know how to change Chrome behavior, other than a Chrome extension that I have seen advertised but never used and cannot recommend.

    • Some server owners forget to install the intermediate certificate along with the identity certificate.   Browsers will work around the error, but UTM with HTTPS inspection does not implement the workaround.   The best solution is to obtain the intermediate certificate and load it into UTM as a root certificate.

    • SSLLABS.com has a comprehensive tool for testing whether a remote server has https configured correctly and securely.   Most certificate vendors have a tool as well, usually these are simpler and quicker.   I always use one of these tools before creating an exception for a certificate problem.
Children
No Data
Unfiltered HTML