This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

HTTPS decryption: Some users cannot browse site: Certificate expired yesterday

We're having a strange situation again after it happened last week already on our SFOS 19.0.1 XG430:

Some users browse to a website that has no exceptions on our firewall for decryption.

The browser (firefox or chrome) show an error that the site is not secure. If you check for the details, you can see, the website has been re-encrypted by the firewall root ca - so far so normal - but the certificate shown has expired yesterday. That is why the page is blocked. This situation is only for some users that are behind a SD-RED60 from our current debugging.

I can see the users that hit the issue with some website do not appear in the TLS logs, insteady their requests only appear in the Webfilter Logs.

Those users that can access the websites, show in both: Webfilter and TLS logs.

Here one example for the website handelsregister.de

Here it works:

Decrypted by Sophos EP on last instance. Cert valid until may 10th.

Lets check the real certificate Chain:

And this is it on the endpoints behind SD-RED60:



This thread was automatically locked due to age.
Parents
  • Hi,

    one time the issuer-CA is from firewall ... next time from endpoint-protection.

    I would check the issuing CA at the Sophos firewall. ...Possible expired?


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

Reply
  • Hi,

    one time the issuer-CA is from firewall ... next time from endpoint-protection.

    I would check the issuing CA at the Sophos firewall. ...Possible expired?


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

Children
No Data