This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG : NET::ERR_CERT_COMMON_NAME_INVALID

HI all,

Hoping you can help.

Recently an external website we access has been updated and hosted elsewhere. Following the move we now get the following error but only when connecting via the VPN (Remote access). We can browse to the site without issue without using the VPN connection. Its a HTTPS site.

Error is : NET::ERR_CERT_COMMON_NAME_INVALID

Now in my limited knowledge and with some basic searching this seems to point to some sort of issue with the Cert for the site but would that then not be an issue in general not just for when we connect the VPN?

I have attempted to add the website as an exception just for testing but the issue remains.

Any suggestions on how to resolve this or things to check in the firewall would be gratefully received.

Thanks.

This thread was automatically locked due to age.

Top Replies

PhilippRusch 4 months ago +1 suggested

Hello Neil, I guess you are using some a webproxy or HTTPS inspection when coming/going through the VPN. Then this involves the certificate form the proxyserver itself. You should deploy the CA of this…

Parents

0 Vivek Jagad 4 months ago

Hi Neil Wilkinson ,

Thank you for reaching out to the community, Remove the common name and place the host name in the alternative name csr, reissue the certificate, that should solve your problem. Refer - RFC 2818.

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Team Lead, Technical Support, Global Customer Experience

Log a Support Case | Sophos Service Guide
Best Practices – Support Case | Security Advisories
Compare Sophos next-gen Firewall | Fortune Favors the prepared
Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 md_yannick 4 months ago in reply to Vivek Jagad

Hi Vivek Jagad

After all the steps mentioned above I'm still experiencing this issue.

For me it's exactly as described in the KBA Article linked by Mayur Makvana . The fix sets the values to the ones that were already configured:

I'm trying to access https://google.com however I'm getting a "NET::ERR_CERT_COMMON_NAME_INVALID" error with the following cert. Notably, https://www.google.de or any other regional variants work fine.

Unfortunately I am not able to reissue this certificate as suggested for obvious reasons.

My Web proxy configuration is identical to Neil Wilkinson .

Any further suggestions would be appreciated.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 md_yannick 4 months ago in reply to Vivek Jagad

Hi Vivek Jagad

After all the steps mentioned above I'm still experiencing this issue.

For me it's exactly as described in the KBA Article linked by Mayur Makvana . The fix sets the values to the ones that were already configured:

I'm trying to access https://google.com however I'm getting a "NET::ERR_CERT_COMMON_NAME_INVALID" error with the following cert. Notably, https://www.google.de or any other regional variants work fine.

Unfortunately I am not able to reissue this certificate as suggested for obvious reasons.

My Web proxy configuration is identical to Neil Wilkinson .

Any further suggestions would be appreciated.
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 md_yannick 4 months ago in reply to md_yannick

Further investigation showed an outdated DHCP Relay config.
Disabling ipv6 and correcting old DNS server entries on the domain controller as well as a reboot resolved the issue thereafter.

Presumably a gateway/router reboot without booting the domain controller caused a conflict.
Cancel
Vote Up 0 Vote Down

Cancel