This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to fix error: "Following domain(s) will not be covered by selected HTTPS certificate."

Paul McGinnie over 2 years ago

I am trying to get my ActiveSync setup to work across my Sophos XG 18.5.3 MR-3 install.

I follow the recipe found at https://support.sophos.com/support/s/article/KB-000040209?language=en_US

When I try to save the firewall rule mentioned towards the bottom of the article I get an error:

"Following domain(s) will not be covered by selected HTTPS certificate 'My Mail Cert':

1. mail.mcginnie.plus.com"

This would seem to defeat the entire point of the access rule. So I tried creating another certificate using a CSR with some extra SANs, but get the same sort of result - the error denies that the addresses I want encrypted will work properly.

I can see there is one reference to this sort of error here (https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/129866/automated-certificate-renewals-with-waf-and-cloudflare) where this error is suggested to be ignored.

My setup isn't working - is that because of this error or the recipe is incomplete?

Regards,

Paul McGinnie

This thread was automatically locked due to age.

Top Replies

Paul McGinnie over 2 years ago +1

This rule now works as it should but still gives the error - the prior failure was due to my error in using a FQDN. So the recipe works, but tells you that it won't - so just an front end problem it appears…

Parents

0 Vivek Jagad over 2 years ago

Hi Paul,

Thank you for your query, are you using a wild card cert here? OR you have a cert of mail.mcginnie.plus.com for https://mail.mcginnie.plus.com ?
I think you would need a a certificate with SAN of mail.mcginnie.plus.com to for https://mail.mcginnie.plus.com

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Team Lead, Technical Support, Global Customer Experience

Log a Support Case | Sophos Service Guide
Best Practices – Support Case | Security Advisories
Compare Sophos next-gen Firewall | Fortune Favors the prepared
Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 Paul McGinnie over 2 years ago in reply to Vivek Jagad

The CN=mail.mcginnie.plus.com and Subject Alternative name list has both autodiscover.mcginnie.plus.com and mail.mcginnie.plus.com present (and others). I do not use wildcards - just a list of explicit SANs.

Having loaded this cert in response to a CSR, and selecting it in the relevant dropdown in the firewall rule specification, then the "Domains" field prepopulated with "mail.mcginnie.plus.com".

A strange observation is that if I select the Certificate I use for the internal web interface (for which I have a long list of SANs as possible aliases) then I get a long list of "Domains"

Regards,

Paul McGinnie
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Paul McGinnie over 2 years ago in reply to Vivek Jagad

The CN=mail.mcginnie.plus.com and Subject Alternative name list has both autodiscover.mcginnie.plus.com and mail.mcginnie.plus.com present (and others). I do not use wildcards - just a list of explicit SANs.

Having loaded this cert in response to a CSR, and selecting it in the relevant dropdown in the firewall rule specification, then the "Domains" field prepopulated with "mail.mcginnie.plus.com".

A strange observation is that if I select the Certificate I use for the internal web interface (for which I have a long list of SANs as possible aliases) then I get a long list of "Domains"

Regards,

Paul McGinnie
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data