This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Could not validate certificate! CAA Will now close

Fotit over 1 year ago

Hi all

XG330 (SFOS 18.5.4 MR-4-Build418)

today i get this error on CAA

Could not validate certificate! CAA Will now close

certificate is already deployed on windows computers and expire at 2036, no problem before until today.

I have one MAC Computer, so it has also this error and i try to reinstall CAA certificate on this MAC computer ( after download it from user portal)

but the problem still exist !

"server is not thrustworty! program will now terminate"

I never had this before and i don't know what is the problem, and i have no idea to resolve it.

Any help please.

Thanks

This thread was automatically locked due to age.

Top Replies

Fotit over 1 year ago in reply to Bharat J +1 verified

Hello Bharat & Vivek After some thought, I contacted support, they didn't find a problem! So I decided to do a reboot, just to see what it will give. finally the CAA worked after the reboot. Why? I don…

Parents

0 Vivek Jagad over 1 year ago

Hello Fotit,

Thank you for reaching out to the community, XG is sending the CA certificate with the future date stored under “/conf/certificate/internalcas/ClientAuthentication_CA.der”

Did you recently upgrade the firmware ?
If that is the case, then

1) Need to rollback to previous version where CAA agent is working fine.

2) Make sure that time is correctly set on the appliance in that firmware version.

3) Upgrade the firmware.

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Team Lead, Global Support & Services

Log a Support Case | Sophos Service Guide
Best Practices – Support Case

Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 Fotit over 1 year ago in reply to Vivek Jagad

Hi Vivek

but it was working very for two months...!!

I did upgrade at the beginning of July.. (sfos 18.5.3 MR3 Build 408 -----> sfos 18.5.4 MR4 Build 418)

i have HA

You say on 1) rollback and on 3) Upgrade the firmware !?
Cancel
Vote Up 0 Vote Down

Cancel
0 Bharat J over 1 year ago in reply to Fotit

Hello Fotit,

HA is Active-Active or Active-Passive? HA means 0 downtime, it would be great if you raise the case with Sophos Support to help you upgrading the firmware version

Refer below link for the same :

https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/HighAvailablityStartupGuide/HAFirmwareUpgrade/index.html

Follow the below link for Sophos Firewall: Suggestions before updating the SFOS firmware version

https://support.sophos.com/support/s/article/KB-000039405?language=en_US

Regards

"Sophos Partner: Networkkings Pvt Ltd".

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
+1 Fotit over 1 year ago in reply to Bharat J

Hello Bharat & Vivek

After some thought, I contacted support, they didn't find a problem!
So I decided to do a reboot, just to see what it will give.
finally the CAA worked after the reboot.
Why? I don't know.

thanks for your help.
Cancel
Vote Up +1 Vote Down

Cancel
0 Vivek Jagad over 1 year ago in reply to Fotit

That's very weird, cheers it worked for you !!

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Team Lead, Global Support & Services

Log a Support Case | Sophos Service Guide
Best Practices – Support Case

Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 Fotit over 1 year ago in reply to Vivek Jagad
thank you very much for your help
Cancel
Vote Up 0 Vote Down

Cancel
0 Bharat J over 1 year ago in reply to Fotit

I would suggest to plan upgrade the firmware to the latest version and share the feedback

Go through the Sophos release notes below link to plan upgrade.

https://docs.sophos.com/releasenotes/index.html?productGroupID=nsg&productID=xg&versionID=19.0

The latest firmware is available to refer the following link: https://community.sophos.com/sophos-xg-firewall/b/blog/posts/sophos-firewall-v19-mr1-re_2d00_release-build-365-is-now-available

Thanks and Regards

"Sophos Partner: Networkkings Pvt Ltd".

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 Fotit over 1 year ago in reply to Bharat J

Bharat,

I think waiting until it appears in my console over the next few weeks.

I read the thread above , and there are some issues with ipsec site-to-site after upgrading

I have 15 branchs with vpn ipsec site-to-site, so I remain cautious for the moment and I will follow the evolution of things.
Cancel
Vote Up 0 Vote Down

Cancel
0 Vivek Jagad over 1 year ago in reply to Fotit

Hey Fotit,

Have you gone through the release notes:

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Team Lead, Global Support & Services

Log a Support Case | Sophos Service Guide
Best Practices – Support Case

Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up +1 Vote Down

Cancel
0 Bharat J over 1 year ago in reply to Fotit

Sure thing

"Sophos Partner: Networkkings Pvt Ltd".

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 Fotit over 1 year ago in reply to Vivek Jagad

Okay, Vivek Bharat , i have noted :)
Cancel
Vote Up 0 Vote Down

Cancel
0 Bharat J over 1 year ago in reply to Fotit

Fotit said:
So I decided to do a reboot

Whenever you are rebooting the Sophos XG firewall make sure you run fsck-on-nextboot from Sophos XG SSH CLI console with option 4

This checks the file system integrity of all the partitions. Turning ON this option forcefully checks the file system integrity on the next device reboot. By default, check is OFF but whenever device goes in failsafe due to following reasons, this check is automatically turned ON: • Unable to start Config/Report/Signature Database • Unable to Apply migration • Unable to find the deployment mode fsck-on-nextboot[ off | on | show ] Once the check is turned ON, on the boot, all the partitions will be checked. The check will be turned OFF again on the next boot.

Below are commands:

system fsck-on-nextboot show
system fsck-on-nextboot on

Thanks and Regards

"Sophos Partner: Networkkings Pvt Ltd".

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Bharat J over 1 year ago in reply to Fotit

Fotit said:
So I decided to do a reboot

Whenever you are rebooting the Sophos XG firewall make sure you run fsck-on-nextboot from Sophos XG SSH CLI console with option 4

This checks the file system integrity of all the partitions. Turning ON this option forcefully checks the file system integrity on the next device reboot. By default, check is OFF but whenever device goes in failsafe due to following reasons, this check is automatically turned ON: • Unable to start Config/Report/Signature Database • Unable to Apply migration • Unable to find the deployment mode fsck-on-nextboot[ off | on | show ] Once the check is turned ON, on the boot, all the partitions will be checked. The check will be turned OFF again on the next boot.

Below are commands:

system fsck-on-nextboot show
system fsck-on-nextboot on

Thanks and Regards

"Sophos Partner: Networkkings Pvt Ltd".

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data