Sophos XG : NET::ERR_CERT_COMMON_NAME_INVALID

HI all,

Hoping you can help.

Recently an external website we access has been updated and hosted elsewhere. Following the move we now get the following error but only when connecting via the VPN (Remote access). We can browse to the site without issue without using the VPN connection. Its a HTTPS site.

Error is : NET::ERR_CERT_COMMON_NAME_INVALID

Now in my limited knowledge and with some basic searching this seems to point to some sort of issue with the Cert for the site but would that then not be an issue in general not just for when we connect the VPN?

I have attempted to add the website as an exception just for testing but the issue remains.

Any suggestions on how to resolve this or things to check in the firewall would be gratefully received.

Thanks.

Edited TAGs
[edited by: emmosophos at 12:12 AM (GMT -7) on 10 Jul 2024]

Top Replies

PhilippRusch 20 days ago +1 suggested

Hello Neil, I guess you are using some a webproxy or HTTPS inspection when coming/going through the VPN. Then this involves the certificate form the proxyserver itself. You should deploy the CA of this…

0 Mayur Makvana 20 days ago

Hello,

Thank you for contacting Sophos Community!

You may follow below KBA and review:

community.sophos.com/.../sophos-firewall-resolving-not-secure-error-while-browsing-secure-sites

Mayur Makvana
Technical Account Manager | Sophos Technical Support
Sophos Support Videos | Knowledge Base | @SophosSupport | Sign up for SMS Alerts |
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Reject Answer

Cancel
0 PhilippRusch 20 days ago

Hello Neil,

I guess you are using some a webproxy or HTTPS inspection when coming/going through the VPN. Then this involves the certificate form the proxyserver itself. You should deploy the CA of this cert to your vpn clients.

Best thing would be a screenshot of the errormessage with the cert detail infos.

Mit freundlichem Gruß, best regards from Germany,

Philipp Rusch

New Vision GmbH, Germany
Sophos Silver-Partner

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up +1 Vote Down

Sign in to reply

Verify Answer

Reject Answer

Cancel
0 Neil Wilkinson 13 days ago in reply to Mayur Makvana

Good morning,
I have tried the steps detailed in the linked article but disabling Microapp discovery has not resolved the issue unfortunately.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Neil Wilkinson 13 days ago in reply to PhilippRusch

Morning Phillip,

Thanks for coming back to me.

I believe I have attached the screenshots below that you requested but please let me know if you need something else.

The error I get now has changed to be bottom image, however this website can still be accessed fine external to our network.

Cert Details?

Web Site Error

Web Proxy setup? (Note ports 21 and 70 also listed just out of view).

Thanks again.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Mayur Makvana 11 days ago in reply to Neil Wilkinson

Hello,

I have tried opening the website at my end and receiving the same output. I suggest raising the support case to investigate.

Mayur Makvana
Technical Account Manager | Sophos Technical Support
Sophos Support Videos | Knowledge Base | @SophosSupport | Sign up for SMS Alerts |
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Vivek Jagad 11 days ago

Hi Neil Wilkinson ,

Thank you for reaching out to the community, Remove the common name and place the host name in the alternative name csr, reissue the certificate, that should solve your problem. Refer - RFC 2818.

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Team Lead, Global Support & Services

Log a Support Case | Sophos Service Guide
Best Practices – Support Case

Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 md_yannick 11 days ago in reply to Vivek Jagad

Hi Vivek Jagad

After all the steps mentioned above I'm still experiencing this issue.

For me it's exactly as described in the KBA Article linked by Mayur Makvana . The fix sets the values to the ones that were already configured:

I'm trying to access https://google.com however I'm getting a "NET::ERR_CERT_COMMON_NAME_INVALID" error with the following cert. Notably, https://www.google.de or any other regional variants work fine.

Unfortunately I am not able to reissue this certificate as suggested for obvious reasons.

My Web proxy configuration is identical to Neil Wilkinson .

Any further suggestions would be appreciated.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 md_yannick 11 days ago in reply to md_yannick

Further investigation showed an outdated DHCP Relay config.
Disabling ipv6 and correcting old DNS server entries on the domain controller as well as a reboot resolved the issue thereafter.

Presumably a gateway/router reboot without booting the domain controller caused a conflict.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel