"Block invalid certificates" option blocks valid certificates

I've been trying out the "block invalid certificates" option under web protection and have noticed that some valid certificates are blocked with error message "SSL error: unable to get local issuer certificate". Most blocked sites are ad networks but unfortunately some more necessary sites as well. When verifying the blocked certificates on another internet connection they are all fine in Chrome/Internet Explorer/Safari etc.

Anyone else having these issues?

 

  • AndersKindberg,

    the problem could be that the XG does not trust the CA that issued the certificate. I am not sure at what log you should look at but you can try from advanced shell (cli > 5 >3) and then

    cd /log

    tail -f *.log | grep -i certificate

    Regards

  • Servers are supposed to provide both their identity certificate and their intermediate certificate(s) in response to the Client Hello.   Many system managers do not install their certificates correctly, so the intermediate certificate is missing from the chain, which makes it untrusted.

    The major browsers use a feature called AIA Fetching to locate the missing certificate from a trusted source.   UTM does not have this feature, and I suspect that XG lacks it as well.

    To test whether a certificate is actually valid or not, you need to use an SSL Test utility.   Your certificate vendor will have one.   For a comprehensive test, use the server test utility at
      ssllabs . com

    Assuming this is the cause, and that you trust the site, this process should be a viable workaround:

    • Navigate to the site with a browser (Except Edge, which cannot display what you need)
    • Open the certificate properties.   This is clunk on Chrome.   On older versions of I.E., just use File.. Properties... [Certificates]
    • On the certificate path tab, navigate to the missing certificate and view its properties.
    • On the Details tab of that window, choose the option to save to file.
    • Import the intermediate certificate as if it was a root certificate.

    One of the purposes of an intermediate certificate is to rapidly and automtically invalidate a lot of certificates if a problem occurs, since root certificates cannot be invalidated.   I am not aware of this drastic measure being used, but you should be aware that by installing the certificate as a root, it can no longer be invalidated if that situation arises.   (A manual delete would be needed instead.)

    Of course, certificate revocation only works if your device performs certificate revocation checks.   You might ask whether XG does, or can.

    Another common server error is to include the root certificate in the download chain.  UTM used to reject those certificate chains as well, but it does not any more.   I am guessing that XG will have the ability to ignore the unwanted certificate as well.

    Occasionally, I have encountered servers with the chain ordered incorrectly.

    Once you do the server test on the certificates involved, you will know which configuration error is giving you problems.

  • I had the same problem when I turned that on, spent a lot of time scratching my head because IE/Chrome always said the certs were fine.  Finally gave up on it and turned it off.

  • Thanks for the replies! The XG log says "server certificate does NOT include an ID which matches the server name" and ssllabs.com says "This server's certificate chain is incomplete. Grade capped to B." so I guess the XG is someway on the right track.

    The test result on badssl.com with https decryption on and without block invalid certificates enabled is horrible so the best solution must be to exclude affected sites from https decryption.