Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • +2 person also asked this people also asked this
  • Replies 13 replies
  • Answers 2 answers
  • Subscribers 44 subscribers
  • Views 6587 views
  • Users 0 members are here
Options
Suggested

8 years plus running no solution to Certificate could not be updated as it is already used by HTTP Based Policy

Akshay Hegde

When I go to edit the certificate and upload the certificate which is due for renewal ( every 13 months ), it fails with the following error at the top center of the screen:

Certificate could not be updated as it is already used by HTTP Based Policy

Firmware: (SFOS 20.0.1 MR-1-Build342) 

I have 40+ WAF rules managing multiple domains.

1. Go to certificates

2. Add new certificates with different name as it doesn't allow updating same certificate 

3. Then go to WAF rules one by one ( 1....40+ ), change new certificates update FQDN isn't this annoying ?????

4.   Its been 5 Years I have been using Sophos XG literally fed up with repeated task

Its even costing me with downtime.

Its been issue over 8+ years still Sophos not addressed see below:

 Certificate renewal fails if used in web server protection rule 

 Certificate could not be updated as it is already used by HTTP Based Policy 

I raised support ticket as of 2024-07-26 Sophos doesn't feasible solution. ( Case Number: 07455429 )

I see below paths hold certificate & private key,  its a job of replacement of file & restart of WAF  still Sophos developers didn't consider to implement over UI over 8+ years!!! can't they simplify ???

/conf/certificate/

/conf/certificate/private/



Edited TAGs
[edited by: Erick Jan at 7:33 AM (GMT -7) on 26 Jul 2024]
Parents
  • 0

    Hi Akshay,

    Thank you for reaching out to Sophos Community.

    We regret to hear about your experienced and thank you for sharing your case ID.

    Upon checking, your case handler has indicated some actions that can be done. You may see the following:

    Erick Jan
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • 0 in reply to Erick Jan

    API is probably for just adding "Add certificates using Postman API"

    For future readers who have hope on API for updating certificate 

    1. If you're updating certificate which is not used in WAF it will update

    2. if you're updating certificate which is already used in WAF even with API you can't update this!

     

    Its very sad to say even sophos technical team they say with API you can update without even internally testing whether on the case of WAF it works or not!

       I am sorry to say your solution is not helpful when certificate already in use.

    <?xml version="1.0" encoding="UTF-8"?>
<Response APIVersion="2000.2" IPS_CAT_VER="1" IS_WIFI6="0">
    <Login>
        <status>Authentication Successful</status>
    </Login>
    <Certificate transactionid="10">
        <Status code="542">Operation failed. For details, go to https://docs.sophos.com, select XG Firewall, and select API help. Go to the module and scroll down to "Status message information".</Status>
    </Certificate>
</Response>

  • 0 in reply to Akshay Hegde

    Hi Akshay,

    Thank you for the update. I will coordinate this with your case handler for further checking. 

    Erick Jan
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • 0 in reply to Erick Jan

    Thank you I am sure sophos will not resolve this issue in next few years. I never had any successful case closure in past 5 years. 

  • 0 in reply to Akshay Hegde

    As usual mail I received which didn't solve my problem! my certificate is gonna expire on 3rd Aug 2024! I have to edit 40+ WAF  Rules isn't this amazing web interface we have ?

    Email from standard template

    Hello Akshay,
     
    This is regarding your service request number  07455429, which you have opened with us.

    Your case requires additional assistance from our global escalation specialists (GES). GES engineers are the highest technical tier within support and are responsible for interacting with our development teams. A GES engineer will review your case and provide the necessary expertise needed for resolution.

    Based on the case priority and complexity, he/she will contact you with their initial analysis within a maximum of 2 business days.

    If GES identifies a product defect or needs further assistance, the Development Team will be engaged. For tracking and consistency in response, these engagements are all recorded and you will be provided the tracking number.

    During regular meetings between GES and our Development Teams, all related open cases are discussed and an investigation timeline is agreed upon based on the priority of the defect. We consider both the technical severity of the problem and incident frequency in determining the priority of a defect. Please keep in mind that these meetings are held weekly for non-critical issues and therefore you may not receive an update for several days. Upon completion of the investigation, the Development Team will determine when the issue will be resolved.  GES will communicate the plan to you. Once the fix has been released, you will be notified. 

Reply
  • 0 in reply to Akshay Hegde

    As usual mail I received which didn't solve my problem! my certificate is gonna expire on 3rd Aug 2024! I have to edit 40+ WAF  Rules isn't this amazing web interface we have ?

    Email from standard template

    Hello Akshay,
     
    This is regarding your service request number  07455429, which you have opened with us.

    Your case requires additional assistance from our global escalation specialists (GES). GES engineers are the highest technical tier within support and are responsible for interacting with our development teams. A GES engineer will review your case and provide the necessary expertise needed for resolution.

    Based on the case priority and complexity, he/she will contact you with their initial analysis within a maximum of 2 business days.

    If GES identifies a product defect or needs further assistance, the Development Team will be engaged. For tracking and consistency in response, these engagements are all recorded and you will be provided the tracking number.

    During regular meetings between GES and our Development Teams, all related open cases are discussed and an investigation timeline is agreed upon based on the priority of the defect. We consider both the technical severity of the problem and incident frequency in determining the priority of a defect. Please keep in mind that these meetings are held weekly for non-critical issues and therefore you may not receive an update for several days. Upon completion of the investigation, the Development Team will determine when the issue will be resolved.  GES will communicate the plan to you. Once the fix has been released, you will be notified. 

Children
Unfiltered HTML