New Config UTM Home 9.6, a lot of Websites and Services dont work, mostly those with let'encrypt CA. Handling of Certificates Problem

Hello,

 

I am new with UTM home. I installed UTM 9.6 last week and checking all needed Services, Websites etc I had some errors.

I also checked with Firewall open, (for a short time to verify that thats not the Problem)

Iouldnt reach : VPN to my company ( Lets Entrypt CA), Home banking,  Mei Cloud (Nextcloud with Lets Encrypt CA) My Webserver (Lets Encrypt CA)

Normal https Websites work.

Ther must be a problem in Handling Lets Encrypt Certificates.

What can I do?

Thnx Ursula Nürnberg

 

Kurz noch mal in deutsch:

Als Neuling in Sachen UTM bin ich prompt auf ein Problem gestossen. Ich komme auf einige wichtige Seiten und Webseiten nicht mehr drauf. So unser Webserver, die eigene Cloud, mei  homeOffice Zugang zur Firma (OpenVPN) und Homebanking gehen nicht mehr. Die ersten der Liste sind alle mit LetsEncrypt Zertifikaten. Zu dem gibt es noch Probleme bei Teamspeak, da bekomme ich keinen Connect zu verschiedenen Servern ( welches Zertifikat dort ist weiss ich nicht).

Es sieht so aus, dass Zertifikate von Lets Encrypt nicht richtig gehandelt werden und so keine Kommunikation zustande kommt.

Was kann ich tun?

Ursula Nürnberg

 

 

  • Hallo Ursula and welcome to the UTM Community!

    The German part of your post mentions Teamspeak, so that makes me think it's not just a problem with Let'sEncrypt.  Does doing #1 in Rulz (last updated 2019-04-17) give you any answers?  If not, what about checking for blocks by Web Filtering?

    Cheers - Bob

  • In reply to BAlfson:

    Hello Bob,

    Intrusion Prevention, Application Control are disabled by Installation wizard.

    As we have UTM at home, we do not have any ADS or DC.

    #1 in Rulz says it must be a routing problem.

    As my english ist not so good, it will take a little time to understand  Rulz #3 to 5.

     

     

    Wieder kurz nochmal in deutsch, das kann ich halt etwas besser.

    Die UTM ist im wesentlichen so wie sie aus dem Installations wizard kam. Intrusion Prevention, Application Control waren dort schon disabled. im dashboard ist Intrusion Prevention, Application Control bei 0.

    Somit sind die Rulz 3-5 abzuarbeiten. Das wird etwas dauern, bin was diese englischen Texte betrifft etwas außer Übung.

     

    Cheers Ursula

  • In reply to Ursula Nürnberg:

    Are you using HTTPS inspection (decrypt and scan)?   I suspect that you are, and that UTM is correctly detecting that the remote site did not install an intermediate certificate.   The easiest solution is to turn off HTTPS inspection.

    There are other workarounds available, if you really want to keep HTTPS inspection enabled.   However, HTTPS inspection requires some administrative skill and labor effort, so I recommend leaving it off if you want simplified administration.

  • In reply to Ursula Nürnberg:

    Agreed with Doug.  Before working through 3-5, look at the Web Filtering log.  If you need more help, show a picture of the error message you're seeing and copy the line from the Web Filtering log related to it.

    Cheers und mfG - Bob

  • In reply to DouglasFoster:

    how can i turn off https inspections?

     

    Webfilter Globals is tranparent mode

    Webfilter HTTPS is url filtering only

     

    I changed on both tabs a lot, but no success.  i am confused by all that reading and trying and nothing goes better.

    i read online help in both english an german but didn't find out what to do.

     

     

     

     

     

     

  • In reply to BAlfson:

    hi Bob

    The error message i got was Timeout (Zeitüberschreitung)

    and i didnt find the matching in Web Protection log. there is no line matching the webside URl , i had tested with.

     

     

    cheers Ursula

     

     

  • In reply to Ursula Nürnberg:

    Bitte Ursula, ich hätte gerne ein Bild der Fehlermeldung gesehen.

    MfG - Bob

  • In reply to BAlfson:

     

    das im Firefox. Die Adresse habe ich parallel vom mobile versucht, da gehts. also ist die Seite da

  • In reply to Ursula Nürnberg:

    Ich habe kein Problem, weder mit IE noch mit Firefox, und "Entschlüsseln und scannen" ist ausgewählt.  Hast's mit IE oder Chrome probiert?

    MfG - Bob

  • In reply to BAlfson:

    IE nicht möglich, bin unter Ubuntu unterwegs. die Seite war vor dem Routerwechsel kein Problem.

    das war mit Chromium Webbrowser.

  • In reply to Ursula Nürnberg:

    die Einstellungen in der UTM ist :

    Dazu kommt transparentmodus. Wie kann ich denn https überprüfung abschalten, so wie douglas vorgeschlagen hat?

    mfg

    Ursula

  • In reply to Ursula Nürnberg:

    pardon falsches Bild,  nun das richtige.

  • In reply to Ursula Nürnberg:

     You are correct, the problem is not caused by https inspection.

    Possible causes of timeout:

    • Intrusion Protection Service blocks the reply packet.  If this happens, it should be in the IPS log file.
    • Upstream firewall blocks either the request or the reply packets.  This is only possible if you have another firewall.
    • Routing problem causes the request or the reply packets to be lost.
    • DNS lookup failure causes the destination to be unknown.
    • Wiring problem causes excessive retransmits on the Ethernet, particularly having one device set to fixed speed and duplex while the other device is set to auto speed and duplex.

    I cannot think of any others.

  • In reply to DouglasFoster:

    Hello Doug and Bob

    First I checked traceroute and nslookup both from tools of the UTM and from a Terminal Window on my PC

    Differenc clearly shown :

     

    traceroute_nc diebaerinde.txt
    From tools of UTM
    
    traceroute to nc.diebaerin.de (85.214.143.128), 30 hops max, 40 byte packets using UDP
    
     1  * * *
    
     2  ip5886bd9e.dynamic.kabel-deutschland.de (88.134.189.158)  19.713 ms   18.680 ms   17.579 ms
    
     3  ip5886c375.static.kabel-deutschland.de (88.134.195.117)  18.246 ms   18.261 ms   20.734 ms
    
     4  145.254.3.88 (145.254.3.88)  17.729 ms   20.975 ms   21.375 ms
    
     5  145.254.2.203 (145.254.2.203)  35.905 ms   34.570 ms   31.294 ms
    
     6  145.254.2.203 (145.254.2.203)  33.053 ms   33.704 ms   32.618 ms
    
     7  et-1-2-0.core-ams14.as6724.net (80.249.210.180)  39.594 ms   40.543 ms   37.382 ms
    
     8  xe-1-2-0.0.core-b30.as6724.net (85.214.0.63)  38.217 ms   39.789 ms   40.252 ms
    
     9  vl425.dcata-b9.as6724.net (85.214.0.113)  38.930 ms   44.343 ms   43.001 ms
    
    10  * * *
    
    11  * * *
    
    12  * * *
    
    13  * * *
    
    14  * * *
    
    15  * * *
    
    from Terminal Window on my PC:
    
    traceroute to nc.diebaerin.de (85.214.143.128), 30 hops max, 60 byte packets
     1  gateway (192.168.2.100)  0.533 ms  0.507 ms  0.493 ms
     2  * * *
     3  * * *
     4  * * *
     5  * * *
     6  * * *
     7  * * *
     8  * * *
     9  * * *
    10  * * *
    11  * * *
    12  * * *
    13  * * *
    14  * * *
    15  * * *
    16  * * *
    17  * * *
    18  * * *
    19  * * *
    20  * * *
    21  * * *
    22  * * *
    23  * * *
    24  * * *
    25  * * *
    26  * * *
    27  * * *
    28  * * *
    29  * * *
    30  * * *
    
    
     	
    UTM Tools :
    nc.diebaerin.de has address 85.214.143.128
    
    
    nslookup Terminal Window:
    un@TUXun:~$ nslookup nc.diebaerin.de
    Server:		127.0.1.1
    Address:	127.0.1.1#53
    
    Non-authoritative answer:
    Name:	nc.diebaerin.de
    Address: 85.214.143.128
    

    Where could I correct it?

     

    Nochmal in Deutsch:

    Sowohl bei traceroute als auch nslookup gabs Differenzen im Output wie in der Datei, die ich upgeloaded habe , zu sehen ist. wo kann ich da die passenden Stellschruaben drehen, also Einstellungen ändern?

    mfg Ursula

  • In reply to Ursula Nürnberg:

    I do not know.   Other possibilities:

    Is your modem giving you the same subnet on the outside of UTM as you are using on the inside of UTM?   This cannot work.

    Do you have a Fritzbox?   I know nothing about them, but they seem to be common in Germany.   There are many questions in this forum about Fritzbox setup problems.