Hi there
Last week, my wildcard certificate expired. No biggie. Got a new one, imported it into the firewall, everything ok. When I selected the new certificate in my WAF rules, I was able to save this configuration and expected the firewall to use this certificate from now on. But no. No matter what I configure, I still get the old, now expired certificate.
SFOS 19.0.0 GA-Build317
Any hints?
Regards, Patrick
Hello Patrick Wolfensberger,
Thank you for reaching out to the community, ensure the old cert is replaced with the new cert properly:
Further you can follow the WAF troubleshooting guide: https://support.sophos.com/support/s/article/KB-000036242?language=en_US
Log file details: https://docs.sophos.com/nsg/sophos-firewall/19.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Logs/LogFileDetails/index.html
for WAF Check the #tail -f /log/reverseproxy.log
Thanks & Regards,
_______________________________________________________________
Vivek Jagad | Team Lead, Global Support & Services
Log a Support Case | Sophos Service Guide
Best Practices – Support Case
Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
did you notice anything in XG Live Log Viewer for WAF...?
Can you share the screenshot of the config?
Thanks & Regards,
_______________________________________________________________
Vivek Jagad | Team Lead, Global Support & Services
Log a Support Case | Sophos Service Guide
Best Practices – Support Case
Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
There is nothing unusual going on in the Live Log. It all works fine, just using the wrong certificate.
I was able to change the SMTP TLS certificate though as well as the web certificate used for the management webpage of the firewall. So the certificate can be used by the firewall, just not by the WAF. No matter which WAF rule I try to change, even ones using completely different certificates (Let's Encrypt), I'm not able to make the change in certificate appear on the browser-side of things.
Here an example of a WAF rule:
I get presented with the expired certificate, which is still in the Firewall certificate tab, but cannot be selected anymore in WAF rules.
even though I used the new one in the rule which is valid until 2023
And I cannot delete the expired certificate, because it claims to be still used somewhere...
There is nothing unusual going on in the Live Log. It all works fine, just using the wrong certificate.
I was able to change the SMTP TLS certificate though as well as the web certificate used for the management webpage of the firewall. So the certificate can be used by the firewall, just not by the WAF. No matter which WAF rule I try to change, even ones using completely different certificates (Let's Encrypt), I'm not able to make the change in certificate appear on the browser-side of things.
Here an example of a WAF rule:
I get presented with the expired certificate, which is still in the Firewall certificate tab, but cannot be selected anymore in WAF rules.
even though I used the new one in the rule which is valid until 2023
And I cannot delete the expired certificate, because it claims to be still used somewhere...
Patrick Wolfensberger
The CSC log in debug mode should give you some clue as where the certificate might be being used.
To put csc in debug mode run from the advanced Shell (5>3)
#csc custom debug
Then try deleting the certificate from the GUI.
Stop debugging
#csc custom debug
And then grep for the following "delete_certificate"
# less /log/csc.log | grep "delete_certificate"
Thanks & Regards,
_______________________________________________________________
Vivek Jagad | Team Lead, Global Support & Services
Log a Support Case | Sophos Service Guide
Best Practices – Support Case
Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
