Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

CAA Certificate "Copernicus UTM" expired silently - 1.2.3.4:9922. CAA Clients terminate

The CAA certificate on our XG 18.5 MR4 has expired without any warning. Nice!

So all our clients with CAA cannot authenticate against that firewall.

How would Sophos resolve that issue withour recreating the ApplicanceCertificate?

C:\OpenSSL-Win64\bin> openssl s_client -connect 1.2.3.4:9922
CONNECTED(00000154)
Can't use SSL_get_servername
depth=0 C = DE, ST = BW, L = Karlsruhe, O = Sophos, OU = NSG, CN = Copernicus UTM, emailAddress = no@email.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = DE, ST = BW, L = Karlsruhe, O = Sophos, OU = NSG, CN = Copernicus UTM, emailAddress = no@email.com
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 C = DE, ST = BW, L = Karlsruhe, O = Sophos, OU = NSG, CN = Copernicus UTM, emailAddress = no@email.com
verify error:num=10:certificate has expired
notAfter=Sep 18 05:42:24 2022 GMT
verify return:1
depth=0 C = DE, ST = BW, L = Karlsruhe, O = Sophos, OU = NSG, CN = Copernicus UTM, emailAddress = no@email.com
notAfter=Sep 18 05:42:24 2022 GMT
verify return:1
---
Certificate chain
 0 s:C = DE, ST = BW, L = Karlsruhe, O = Sophos, OU = NSG, CN = Copernicus UTM, emailAddress = no@email.com
   i:C = DE, ST = BW, L = Karlsruhe, O = Sophos, OU = NSG, CN = Sophos Client Authentication CA, emailAddress = no@email.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEzzCCA7egAwIBAgIBADANBgkqhkiG9w0BAQsFADCBlDELMAkGA1UEBhMCREUx
CzAJBgNVBAgMAkJXMRIwEAYDVQQHDAlLYXJsc3J1aGUxDzANBgNVBAoMBlNvcGhv
czEMMAoGA1UECwwDTlNHMSgwJgYDVQQDDB9Tb3Bob3MgQ2xpZW50IEF1dGhlbnRp
Y2F0aW9uIENBMRswGQYJKoZIhvcNAQkBFgxub0BlbWFpbC5jb20wHhcNMjAwODI5
MDU0MjI0WhcNMjIwOTE4MDU0MjI0WjCBgzELMAkGA1UEBhMCREUxCzAJBgNVBAgM
AkJXMRIwEAYDVQQHDAlLYXJsc3J1aGUxDzANBgNVBAoMBlNvcGhvczEMMAoGA1UE
CwwDTlNHMRcwFQYDVQQDDA5Db3Blcm5pY3VzIFVUTTEbMBkGCSqGSIb3DQEJARYM
bm9AZW1haWwuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6eSq
ugp4yQNBBMPyev/POVPYVUJ9LmFPVEFt+vlQ2TNBF6ZVLIPtbx0HwTjTC/Hv5gGn
+QWtGt6tez45jMG00Jbljs4j2S65zD1Af4UxzRlyd8fiZz6P2Fj3U4x+xRJED7Jp
pyRdzgX6RQ5WajOIwtmOiP6HR8NLlTO82mTL06rNrLOnuKb8oWRYrPFcRfah/e98
VYPccooU3o7v0eiZD/UCK2cREoRMzczxLtXLEWdzZBkcTuGWochXZ2ASm6xlkrWA
Gcv3aQwlpDw7HSWI6kHKTWSEvLhSMExWOjAhxBqepf2tgxd5KOhxasat9LKpG59p
L8aqmFxhpJX6JckJsQIDAQABo4IBOTCCATUwCQYDVR0TBAIwADAsBglghkgBhvhC
AQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFJP9
dCr5ErN+fUTHrn0mlj4P1hM4MIHJBgNVHSMEgcEwgb6AFIJx3GzaIQRZRJjE+Dt5
P3A7wzoLoYGapIGXMIGUMQswCQYDVQQGEwJERTELMAkGA1UECAwCQlcxEjAQBgNV
BAcMCUthcmxzcnVoZTEPMA0GA1UECgwGU29waG9zMQwwCgYDVQQLDANOU0cxKDAm
BgNVBAMMH1NvcGhvcyBDbGllbnQgQXV0aGVudGljYXRpb24gQ0ExGzAZBgkqhkiG
9w0BCQEWDG5vQGVtYWlsLmNvbYIJAIlfkI0Hk3OmMA8GA1UdEQQIMAaHBAECAwQw
DQYJKoZIhvcNAQELBQADggEBAChJMFKBCcDUkKKJCQsQ11K9yQ9uOa8OZUTe+0dF
22fALTNiDGcCqfoUTmEw5sKcq9D9Xt65JY4YifwTKVsRokJRXAOzl6X7SViCAHvJ
Mcp/GPpsHedSmjGmr2FvOjJDAxIUIcsckrDVRvQkGRa5Vv80jUFoJ+fWS2+zP4o7
ASIYCC+6pSP9YvQWOFaKf7bakKIh92G4RCDtA4G8uPGG5X/aWeRqibBuqIWW2xQr
EmUSLHkMoygxtkZxC1sSBHSL8hdpksHQgRr8LZdNdR8T/EYln7w4Ah+FjhJi7DN7
sffDMB5c+AtxGfCkULdJ7opq+UnjywdcFEkGhxTmfwA0n7c=
-----END CERTIFICATE-----
subject=C = DE, ST = BW, L = Karlsruhe, O = Sophos, OU = NSG, CN = Copernicus UTM, emailAddress = no@email.com

issuer=C = DE, ST = BW, L = Karlsruhe, O = Sophos, OU = NSG, CN = Sophos Client Authentication CA, emailAddress = no@email.com

---
No client certificate CA names sent
Peer signing digest: SHA512
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1889 bytes and written 419 bytes
Verification error: certificate has expired
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: BBE7B50D73AC4CE827DE7F159B0F6A062BAAC6017497FA16D81AC048FBE1EABD
    Session-ID-ctx:
    Master-Key: BE91C30D405AE4494C3B150A087859A941597B46BFCFF74C1FE171205840D56CA58904909767340BC04F59551660380E
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - ae 11 78 4a 2a db 57 32-5e a7 12 1b a1 c9 40 35   ..xJ*.W2^.....@5
    0010 - 25 ff f7 c9 9c e8 ab a0-6b 51 7a 60 7f e9 82 ec   %.......kQz`....
    0020 - 76 30 ee 74 7d 54 b2 2d-fe 8d ac ac 07 f2 da 0f   v0.t}T.-........
    0030 - 2c 3c b0 58 a3 c8 ad 24-1c 49 5b ec d5 44 1a 98   ,<.X...$.I[..D..
    0040 - 73 ce 34 25 58 fb 0d 43-cf 1d 44 3b cd 00 16 56   s.4%X..C..D;...V
    0050 - 57 8f f8 a0 5b ee 2b f5-7a dc b6 9a 6a fd 10 3e   W...[.+.z...j..>
    0060 - c6 3f 51 c8 e3 af ad 29-32 40 b3 f0 fb e1 28 ef   .?Q....)2@....(.
    0070 - fa de 80 27 af a1 e2 81-6d e8 69 4e c1 13 48 93   ...'....m.iN..H.
    0080 - e0 f5 54 fd 67 cb ea ce-1c 32 f3 b7 77 88 b9 fd   ..T.g....2..w...
    0090 - 5e a6 32 0e 01 19 d7 f8-30 33 fa 06 86 3e ea ee   ^.2.....03...>..

    Start Time: 1663571691
    Timeout   : 7200 (sec)
    Verify return code: 10 (certificate has expired)
    Extended master secret: no
---

XG430_WP02_SFOS 18.5.4 MR-4-Build418# ls -lah /conf/certificate/internalcas/*
-rwxr-xr-x    1 root     0           1.2K Aug 29  2020 /conf/certificate/internalcas/ClientAuthentication_CA.der
-rw-------    1 root     0           1.7K Aug 24  2018 /conf/certificate/internalcas/ClientAuthentication_CA.key
-rwxr-xr-x    1 root     0           1.6K Aug 24  2018 /conf/certificate/internalcas/ClientAuthentication_CA.pem
-rwxr-xr-x    1 root     0          11.4K Jan  8  2022 /conf/certificate/internalcas/cloud-ca.crt

Edit: just found out, the CAA cert on XG has been renewed but probably the Auth Server still uses the old one and just need to be restarted.

thats the new one:

XG430_WP02_SFOS 18.5.4 MR-4-Build418# ls -lah /conf/certificate/internalcerts/*Auth*
-rw-------    1 root     0           1.6K Aug 19 00:00 /conf/certificate/internalcerts/ClientAuthentication_cert.key
-rwxr-xr-x    1 root     0           1.7K Aug 19 00:00 /conf/certificate/internalcerts/ClientAuthentication_cert.pem



This thread was automatically locked due to age.
  • so someone at dev team forgot to implement a restart of the access_server after certificate recreation.

    My workaround was to restart the access_server manually (causes all clients (also Intercept-X authenticated) to re-authenticate!)

    XG430_WP02_SFOS 18.5.4 MR-4-Build418# netstat -anop | grep "9922"
    tcp        0      0 0.0.0.0:9922            0.0.0.0:*               LISTEN      14242/access_server  off (0.00/0/0)

    XG430_WP02_SFOS 18.5.4 MR-4-Build418# service access_server:restart -ds nosync
    200 OK

    C:\OpenSSL-Win64\bin> openssl s_client -connect 1.2.3.4:9922
    CONNECTED(0000013C)
    Can't use SSL_get_servername
    depth=0 C = DE, ST = BW, L = Karlsruhe, O = Sophos, OU = NSG, CN = Copernicus UTM, emailAddress = no@email.com
    verify error:num=20:unable to get local issuer certificate
    verify return:1
    depth=0 C = DE, ST = BW, L = Karlsruhe, O = Sophos, OU = NSG, CN = Copernicus UTM, emailAddress = no@email.com
    verify error:num=21:unable to verify the first certificate
    verify return:1
    depth=0 C = DE, ST = BW, L = Karlsruhe, O = Sophos, OU = NSG, CN = Copernicus UTM, emailAddress = no@email.com
    verify return:1
    ---
    Certificate chain
     0 s:C = DE, ST = BW, L = Karlsruhe, O = Sophos, OU = NSG, CN = Copernicus UTM, emailAddress = no@email.com
       i:C = DE, ST = BW, L = Karlsruhe, O = Sophos, OU = NSG, CN = Sophos Client Authentication CA, emailAddress = no@email.com
    ---
    Server certificate
    -----BEGIN CERTIFICATE-----
    MIIEzzCCA7egAwIBAgIBADANBgkqhkiG9w0BAQsFADCBlDELMAkGA1UEBhMCREUx
    CzAJBgNVBAgMAkJXMRIwEAYDVQQHDAlLYXJsc3J1aGUxDzANBgNVBAoMBlNvcGhv
    czEMMAoGA1UECwwDTlNHMSgwJgYDVQQDDB9Tb3Bob3MgQ2xpZW50IEF1dGhlbnRp
    Y2F0aW9uIENBMRswGQYJKoZIhvcNAQkBFgxub0BlbWFpbC5jb20wHhcNMjIwODE4
    MjIwMDA1WhcNMjQwOTA2MjIwMDA1WjCBgzELMAkGA1UEBhMCREUxCzAJBgNVBAgM
    AkJXMRIwEAYDVQQHDAlLYXJsc3J1aGUxDzANBgNVBAoMBlNvcGhvczEMMAoGA1UE
    CwwDTlNHMRcwFQYDVQQDDA5Db3Blcm5pY3VzIFVUTTEbMBkGCSqGSIb3DQEJARYM
    bm9AZW1haWwuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwg+3
    mjRLHgHK9/tzgTRFHhbmO6bW6lfgeOjH2+TY/mpoa/G9/Ro4p8bvMVqvGGEE2gn+
    SizSVLmMHQ0z4YhW3AUv9OIDTxDNJbxp+3r/pJA5udpTB/FaAwvI2egZupjNTxre
    X0T5oOMVtBZv8IhYRheVxBoc321QjbuK4K7eiVosN7R4/UuqGF1NkDH9eoRtKTm7
    IqbuZXHfAF2VZEIdztZe5BcbXvgmQIEgfN5plijIQDpic1XTtxSsF8Vnstn0PiCD
    EVsKEfe0dq2Oa1ZHXIb6DMUBs3IRdYsVT2DUmdUsJgeLPOn4I2JtV6pz15O+BgqX
    PylVRZBv0ZQGaWGrEQIDAQABo4IBOTCCATUwCQYDVR0TBAIwADAsBglghkgBhvhC
    AQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFPdi
    mDCTM6M4HXe5/oGmBoUPcteiMIHJBgNVHSMEgcEwgb6AFIJx3GzaIQRZRJjE+Dt5
    P3A7wzoLoYGapIGXMIGUMQswCQYDVQQGEwJERTELMAkGA1UECAwCQlcxEjAQBgNV
    BAcMCUthcmxzcnVoZTEPMA0GA1UECgwGU29waG9zMQwwCgYDVQQLDANOU0cxKDAm
    BgNVBAMMH1NvcGhvcyBDbGllbnQgQXV0aGVudGljYXRpb24gQ0ExGzAZBgkqhkiG
    9w0BCQEWDG5vQGVtYWlsLmNvbYIJAIlfkI0Hk3OmMA8GA1UdEQQIMAaHBAECAwQw
    DQYJKoZIhvcNAQELBQADggEBAFfir/SVwktydhHoR0/X5nILGhQ2psSqsVeOdMhw
    0qM9tNxXgGj43JiL4E0cagSsY9NLYjlzCgTXUzssx7MYGtvB0Kpoul5kq+vQ17xD
    a/xkJ5lllx8RjeJ9qjU7ox1wfPNkuK+1Sk9rciiy4JvvoZPq1GlbdvsStr3gsRoP
    M+Np/1qKEVhOPjklgwaY0ouBTIBQG/UHS2UkwlDe4HB6VYYoEhTYlDwJIxRdZVbp
    ROTF0K+UCixHWffKgFs0aZwNywpwj3X7TcxFzBqZuz2oYl68iAaBehvEclFUj17x
    vKdcIgt7ZE6QvbU2jQd54w1HX0ckKbGYSTxPand124+QFE4=
    -----END CERTIFICATE-----
    subject=C = DE, ST = BW, L = Karlsruhe, O = Sophos, OU = NSG, CN = Copernicus UTM, emailAddress = no@email.com

    issuer=C = DE, ST = BW, L = Karlsruhe, O = Sophos, OU = NSG, CN = Sophos Client Authentication CA, emailAddress = no@email.com

    ---
    No client certificate CA names sent
    Peer signing digest: SHA512
    Peer signature type: RSA
    Server Temp Key: ECDH, P-256, 256 bits
    ---
    SSL handshake has read 1889 bytes and written 419 bytes
    Verification error: unable to verify the first certificate
    ---
    New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
    Server public key is 2048 bit
    Secure Renegotiation IS supported
    No ALPN negotiated
    SSL-Session:
        Protocol  : TLSv1.2
        Cipher    : ECDHE-RSA-AES256-GCM-SHA384
        Session-ID: BDB156B9DE6946B132005A8658D70E5CB3A522264C08E1E6EB9489A45D9FDAAA
        Session-ID-ctx:
        Master-Key: 5D8B7F4A60919C457B3FADA049E2D565BE28CB1211F55B6C56AB5F6DEB5B3743BA7422ECF2EED735A0C464838612A85D
        PSK identity: None
        PSK identity hint: None
        SRP username: None
        TLS session ticket lifetime hint: 300 (seconds)
        TLS session ticket:
        0000 - 4e 16 d5 fa 32 df ad fd-d4 d4 97 55 71 6d ae 4d   N...2......Uqm.M
        0010 - f4 8a 6c f3 26 09 12 0a-4d 45 82 b4 24 3a 86 bf   ..l.&...ME..$:..
        0020 - 19 e9 02 ef 60 e4 d3 23-06 29 aa 3e 3d bd ac 08   ....`..#.).>=...
        0030 - bc fc 5c eb 0d f4 97 a3-c2 7c 18 92 7f 08 65 7b   ..\......|....e{
        0040 - 4e 32 6f 52 7f cf 8a 96-30 ce 44 41 fd 67 f4 23   N2oR....0.DA.g.#
        0050 - 63 e4 d3 d8 89 5a 6a ab-90 ab 21 96 30 56 ff 15   c....Zj...!.0V..
        0060 - 84 6c d4 6c 98 99 92 9f-8f 76 d8 9e df b9 93 67   .l.l.....v.....g
        0070 - e2 41 78 0f 0c d4 41 79-31 ba 8b 8e 7d dc 4a cd   .Ax...Ay1...}.J.
        0080 - 91 64 8a d2 b7 e1 5d 60-9f ad 5e 40 50 bc 8d 0a   .d....]`..^@P...
        0090 - 93 49 1e 2e 08 20 d2 e8-77 a3 4f 0e cf 2e 4d 9e   .I... ..w.O...M.

        Start Time: 1663574670
        Timeout   : 7200 (sec)
        Verify return code: 21 (unable to verify the first certificate)
        Extended master secret: no
    ---