Chrome OS no longer supports self-signed Proxy CA - UTM Home

First, apologies if this is already asked/answered here. I haven't been able to find a solution to this problem.

tl;dr - My son's Chromebook, and my own, no longer trust or can be made to trust the self-signed proxy CA. When I install the certificate in Chrome > Settings> Manage Certificates > Import, the certificate is installed, but listed as UNTRUSTED.

Even with URL Filtering only selected on the web filter profile, anything that would prompt a proxy intervention (uncategorized warning, quota selection, etc) causes an error that I cannot solve. Chrome on my Win 10 PC observes system cert policy, and so does Brave (based on Chromium).

I used to use this without trouble (over a year ago), perhaps before Chrome implemented a new trust policy. I used to allow most categories, and quota entertainment, games, etc. I typically did not bother with decrypt and scan, but when I was playing, I could get that to work after importing the cert. (I typically install the cert from passthrough.fw-notify.net/cacert.pem but this too, results in no change in behavior)

Am I missing something basic here, or do home users have no avenue (absent the google admin console) to properly install trusted self-signed certs?

  • Hi  

    This error is due to UTM's Proxy CA not being trusted by Chromebook.  Are you using Sophos UTM as a Standard proxy? I'm more curious about why did the UTM scan the traffic. Would you please check the HTTP logs when the error occurs on Chromebook? If the page was allowed, it will then require troubleshooting on the Chromebook side. If the page was denied, then UTM will throw Blocked Page with its self-signed certificate. 

  • In reply to Jaydeep:

    Standard/Transparent doesn't change behavior. I prefer standard, but also tried transparent.

    The page that generates this error is the attempt to display the quota selection screen, where the user chooses how much quota time to use.

    When I import the certificate into Chrome, it shows as imported, but is untrusted. 

    IIRC, I used to quota-control more categories (when my son was younger), and the chromebook used to say something along the lines of: "This network requires sign in" which would direct my son to the quota screen immediately. In either case, though, it used to trust the certificate, because it was imported, and now it doesn't. I cannot seem to make chrom trust this cert. In Windows, Chrome obeys the system policy, so when I import the certificate into "Trusted Root Certification Authorities," I no longer receive the warnings. 

  • In reply to gcracker:

    What happens if you Up2Date to 9.701 when available and regenerate the Proxy CA?

    Cheers - Bob

  • In reply to BAlfson:

    I'll try it as soon as I can. 

    I know this issue is really one for Google, but I get no help in their support forums. I figure someone here MUST have wrestled through this successfully. I can't be the only one using a home license with no need for a real wildcard cert at home, and who also has chromebooks and wants to use the web proxy.