This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

New Config UTM Home 9.6, a lot of Websites and Services dont work, mostly those with let'encrypt CA. Handling of Certificates Problem

Hello,

 

I am new with UTM home. I installed UTM 9.6 last week and checking all needed Services, Websites etc I had some errors.

I also checked with Firewall open, (for a short time to verify that thats not the Problem)

Iouldnt reach : VPN to my company ( Lets Entrypt CA), Home banking,  Mei Cloud (Nextcloud with Lets Encrypt CA) My Webserver (Lets Encrypt CA)

Normal https Websites work.

Ther must be a problem in Handling Lets Encrypt Certificates.

What can I do?

Thnx Ursula Nürnberg

 

Kurz noch mal in deutsch:

Als Neuling in Sachen UTM bin ich prompt auf ein Problem gestossen. Ich komme auf einige wichtige Seiten und Webseiten nicht mehr drauf. So unser Webserver, die eigene Cloud, mei  homeOffice Zugang zur Firma (OpenVPN) und Homebanking gehen nicht mehr. Die ersten der Liste sind alle mit LetsEncrypt Zertifikaten. Zu dem gibt es noch Probleme bei Teamspeak, da bekomme ich keinen Connect zu verschiedenen Servern ( welches Zertifikat dort ist weiss ich nicht).

Es sieht so aus, dass Zertifikate von Lets Encrypt nicht richtig gehandelt werden und so keine Kommunikation zustande kommt.

Was kann ich tun?

Ursula Nürnberg

 

 



This thread was automatically locked due to age.
Parents
  • Hallo Ursula and welcome to the UTM Community!

    The German part of your post mentions Teamspeak, so that makes me think it's not just a problem with Let'sEncrypt.  Does doing #1 in Rulz (last updated 2019-04-17) give you any answers?  If not, what about checking for blocks by Web Filtering?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hello Bob,

    Intrusion Prevention, Application Control are disabled by Installation wizard.

    As we have UTM at home, we do not have any ADS or DC.

    #1 in Rulz says it must be a routing problem.

    As my english ist not so good, it will take a little time to understand  Rulz #3 to 5.

     

     

    Wieder kurz nochmal in deutsch, das kann ich halt etwas besser.

    Die UTM ist im wesentlichen so wie sie aus dem Installations wizard kam. Intrusion Prevention, Application Control waren dort schon disabled. im dashboard ist Intrusion Prevention, Application Control bei 0.

    Somit sind die Rulz 3-5 abzuarbeiten. Das wird etwas dauern, bin was diese englischen Texte betrifft etwas außer Übung.

     

    Cheers Ursula

  • Are you using HTTPS inspection (decrypt and scan)?   I suspect that you are, and that UTM is correctly detecting that the remote site did not install an intermediate certificate.   The easiest solution is to turn off HTTPS inspection.

    There are other workarounds available, if you really want to keep HTTPS inspection enabled.   However, HTTPS inspection requires some administrative skill and labor effort, so I recommend leaving it off if you want simplified administration.

  • Agreed with Doug.  Before working through 3-5, look at the Web Filtering log.  If you need more help, show a picture of the error message you're seeing and copy the line from the Web Filtering log related to it.

    Cheers und mfG - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • how can i turn off https inspections?

     

    Webfilter Globals is tranparent mode

    Webfilter HTTPS is url filtering only

     

    I changed on both tabs a lot, but no success.  i am confused by all that reading and trying and nothing goes better.

    i read online help in both english an german but didn't find out what to do.

     

     

     

     

     

     

  • hi Bob

    The error message i got was Timeout (Zeitüberschreitung)

    and i didnt find the matching in Web Protection log. there is no line matching the webside URl , i had tested with.

     

     

    cheers Ursula

     

     

  • Bitte Ursula, ich hätte gerne ein Bild der Fehlermeldung gesehen.

    MfG - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  •  

    das im Firefox. Die Adresse habe ich parallel vom mobile versucht, da gehts. also ist die Seite da

  • Ich habe kein Problem, weder mit IE noch mit Firefox, und "Entschlüsseln und scannen" ist ausgewählt.  Hast's mit IE oder Chrome probiert?

    MfG - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • Ich habe kein Problem, weder mit IE noch mit Firefox, und "Entschlüsseln und scannen" ist ausgewählt.  Hast's mit IE oder Chrome probiert?

    MfG - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • IE nicht möglich, bin unter Ubuntu unterwegs. die Seite war vor dem Routerwechsel kein Problem.

    das war mit Chromium Webbrowser.

  • die Einstellungen in der UTM ist :

    Dazu kommt transparentmodus. Wie kann ich denn https überprüfung abschalten, so wie douglas vorgeschlagen hat?

    mfg

    Ursula

  • pardon falsches Bild,  nun das richtige.

  •  You are correct, the problem is not caused by https inspection.

    Possible causes of timeout:

    • Intrusion Protection Service blocks the reply packet.  If this happens, it should be in the IPS log file.
    • Upstream firewall blocks either the request or the reply packets.  This is only possible if you have another firewall.
    • Routing problem causes the request or the reply packets to be lost.
    • DNS lookup failure causes the destination to be unknown.
    • Wiring problem causes excessive retransmits on the Ethernet, particularly having one device set to fixed speed and duplex while the other device is set to auto speed and duplex.

    I cannot think of any others.

  • Hello Doug and Bob

    First I checked traceroute and nslookup both from tools of the UTM and from a Terminal Window on my PC

    Differenc clearly shown :

     

    From tools of UTM
    
    traceroute to nc.diebaerin.de (85.214.143.128), 30 hops max, 40 byte packets using UDP
    
     1  * * *
    
     2  ip5886bd9e.dynamic.kabel-deutschland.de (88.134.189.158)  19.713 ms   18.680 ms   17.579 ms
    
     3  ip5886c375.static.kabel-deutschland.de (88.134.195.117)  18.246 ms   18.261 ms   20.734 ms
    
     4  145.254.3.88 (145.254.3.88)  17.729 ms   20.975 ms   21.375 ms
    
     5  145.254.2.203 (145.254.2.203)  35.905 ms   34.570 ms   31.294 ms
    
     6  145.254.2.203 (145.254.2.203)  33.053 ms   33.704 ms   32.618 ms
    
     7  et-1-2-0.core-ams14.as6724.net (80.249.210.180)  39.594 ms   40.543 ms   37.382 ms
    
     8  xe-1-2-0.0.core-b30.as6724.net (85.214.0.63)  38.217 ms   39.789 ms   40.252 ms
    
     9  vl425.dcata-b9.as6724.net (85.214.0.113)  38.930 ms   44.343 ms   43.001 ms
    
    10  * * *
    
    11  * * *
    
    12  * * *
    
    13  * * *
    
    14  * * *
    
    15  * * *
    
    from Terminal Window on my PC:
    
    traceroute to nc.diebaerin.de (85.214.143.128), 30 hops max, 60 byte packets
     1  gateway (192.168.2.100)  0.533 ms  0.507 ms  0.493 ms
     2  * * *
     3  * * *
     4  * * *
     5  * * *
     6  * * *
     7  * * *
     8  * * *
     9  * * *
    10  * * *
    11  * * *
    12  * * *
    13  * * *
    14  * * *
    15  * * *
    16  * * *
    17  * * *
    18  * * *
    19  * * *
    20  * * *
    21  * * *
    22  * * *
    23  * * *
    24  * * *
    25  * * *
    26  * * *
    27  * * *
    28  * * *
    29  * * *
    30  * * *
    
    
     	
    UTM Tools :
    nc.diebaerin.de has address 85.214.143.128
    
    
    nslookup Terminal Window:
    un@TUXun:~$ nslookup nc.diebaerin.de
    Server:		127.0.1.1
    Address:	127.0.1.1#53
    
    Non-authoritative answer:
    Name:	nc.diebaerin.de
    Address: 85.214.143.128
    

    Where could I correct it?

     

    Nochmal in Deutsch:

    Sowohl bei traceroute als auch nslookup gabs Differenzen im Output wie in der Datei, die ich upgeloaded habe , zu sehen ist. wo kann ich da die passenden Stellschruaben drehen, also Einstellungen ändern?

    mfg Ursula

  • I do not know.   Other possibilities:

    Is your modem giving you the same subnet on the outside of UTM as you are using on the inside of UTM?   This cannot work.

    Do you have a Fritzbox?   I know nothing about them, but they seem to be common in Germany.   There are many questions in this forum about Fritzbox setup problems.

  • hi Douglas, ist no Fritzbox. It is Vodafone TG34442DE  in Bridge Modus. Vodafone says, that is simple Kabelmodem now. Any router can be used behind .

  • Some people in this forum have had problems with their ISP specifying a small MTU in DHCP parameters.    UTM honors the setting then runs badly.   There is a way to tell UTM to ignore the supplied MTU.   Search earlier posts or perhaps Mr Alfson knows.

  • hi Bob and Douglas,

    thnx for all your help, I learned a lot.

    I decided to restart the whole procedure and I hope to make it all right now.

    Wish me luck

    Ursula

     

  • Good catch, Doug.  We did have lots of complaints from European members that their ISP was setting the MTU to 576.  This used to require work at the command line and with cron jobs, but the option was added to specify the MTU in the interface definition.  This is in 'Advanced' for DSL-type Interfaces.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA