Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 7 replies
  • Subscribers 42 subscribers
  • Views 3341 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SEC_ERROR_EXPIRED_CERTIFICATE for web proxied sites

Tim M

Hello, I am a home user of the Sophos XG firewall - SFVH (SFOS 19.0.0 GA-Build317) - and use it to proxy specific sites... one of those things I proxy is google and youtube. Recently, it seems that the certificates that my appliance creates have expired and are not being renewed. For example, if I attempt to navigate to youtube.com, I receive the following error in Firefox:

Looking at the cert it's trying to use, it actually is expired:

My Sophos SSL CA_ certiifcate is valid until 2036 and I thought that this other certificate would automatically be generated/renewed, since it's managed by the Sophos XG appliance ( I thought).

If I disable SSL inspection, youtube loads just fine with a Google issued certificate. It's only when I turn back on the web proxy for this that the error is shown.


How can resolve this? I've ensured the time is corect, restarted the system and services, but it keeps trying to use the expired certificate. I don't see this certificate in the appliance, either, under "certificates".

Thank you!



Edited TAGs
[edited by: Erick Jan at 6:10 AM (GMT -8) on 15 Nov 2022]
Parents Reply
  • +1 in reply to Tim M

    Hi,

    if you haven't configured the proxy in your firewall rules then you are using the DPI which scans all traffic. Try changing your certificate to the XG default.

    Ian

    XG115W - v20.0.3 MR-3 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

Children
  • 0 in reply to rfcat_vk

    Hi ,

    I am using both DPI and web proxy. DPI for everything except for app enforcement domains... which are set to use the proxy.

    As suggested, I did change the cert being used for the SSL settings from "SecurityAppliance_SSL_CA (RSA)" to"Default (RSA)", and that seems to have given me a new cert for those domains with a 2024 expiration! But, since my browser doesn't trust the cert issuer, I'm getting an " SEC_ERROR_UNKNOWN_ISSUER". I toggled the certificates back to the origincal one "SecurityAppliance_SSL_CA (RSA)" and that seems to have jiggered whatever was stuck and now things are working again!

    And here too:

  • 0 in reply to Tim M

    So, to be clear... toggling this from "SecurityAppliance_SSL_CA" to "Default" and back to "SecurityAppliance_SSL_CA" again seems to have solved the problem. Bing and Youtube are now loading with new, non-expired certificates.

Unfiltered HTML