Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unable to generate csr for SSL VPN

Hello,

Just updated a new cyberoam ING25 straight out of the box to Sophos OS, It was a clean upgrade nothing was configured yet before the upgrade.

I'am unable to create a CSR request to get a public certificate, when filling in the requested forms and clicking on save it spins for 2 seconds and then the "spinner" disappears.

It won't show the CSR request under certificates, also the option to generate a self signed certificate is greyed out. 

I also have a Cyberoam ING50 upgraded to Sophos OS, on this one I was successful in creating the CSR and getting a public certificate and it works just fine, Tried Internet Explorer 11 & 10 and Firefox to see if this was the problem, but both webbrowsers respond the same.



This thread was automatically locked due to age.
  • Try generating CSR from command line. Use any Linux/OS X/Windows with OpenSSL suite installed to issue the following command:

    openssl req -newkey rsa:2048 -nodes -subj "/CN=hostname.domain.tld" -keyout hostname.key -out hostname.req

    Remove "-nodes" if you want your private key to be encrypted on disk.

    Request public certificate from public CA and then combine certificate with the key:

    openssl pkcs12 -export -in hostname.crt -inkey hostname.key -out hostname.p12 -name "Friendly Name"

    Then you can upload P12 file to XG Appliance.

    Regards,
    Slawek

  • Thanks for the tip, was able to create a public cert using IIS. So for now it works, but the problem still remains. Hopefully someone at Sophos can give a fix.
  • If you purchased the box from a reseller and have a license you can access Sophos Support contact. That would get you support faster and if they do fix your problem, please let us know in here so we can all benefit :)
  • Can you confirm if you can generate the Default CA under Objects -> Identity -> Certificate Authority -> Default?

    Leon Friend

    Sophos Sales Engineer

    Sophos XG Firewall - Certified Architect, Sophos Certified Engineer, Cyberoam CCNSE, Cyberoam CCNSP

  • Hi Leon,

    No I am not able to create the default CA, on the ING50 which we have already did generate a default CA before the upgrade, on the ING25 I did not.

    Is this related to this? community.sophos.com/.../73545
  • Yes, I suspect it is related to community.sophos.com/.../73545
    This is where it appears the Default CA is not migrated correctly from Cyberoam OS to SF-OS which is causing some issues with SSLVPN setups, it seems like it is also impacting the ability to generate a CSR.
    I would recommend you open a support case to get the Default CA regenerated by support back end (I suspect it is related to BUG ID NC-5703), if the issue is still occurring after that they can investigate further with you.

    Leon Friend

    Sophos Sales Engineer

    Sophos XG Firewall - Certified Architect, Sophos Certified Engineer, Cyberoam CCNSE, Cyberoam CCNSP

  • Hello,

    Opened a support case, will post back when it gets resolved.

    Where can I find a list with known bugs in Sophos XG?
  • Hi Arjan,

    This migration issues has been addressed in the current maintenance release MR1-1, this means the issue should not affect new migrations. However if your appliance has already been migrated you will need to reach out to support to get it fixed by them.

    For new migrations when you download the Sophos Firewall OS from your MySophos Portal Account it will provide access to the latest firmware.

    Details on the maintenance release can be found at https://community.sophos.com/products/xg-firewall/b/xg-blog/archive/2016/02/29/sfos-15-01-0-398-mr-1-1-released

    Edited for clarity.

    Thanks,

    Leon

    Leon Friend

    Sophos Sales Engineer

    Sophos XG Firewall - Certified Architect, Sophos Certified Engineer, Cyberoam CCNSE, Cyberoam CCNSP

  • Leon Friend said:

    Hi Arjan,

    If you did not get this resolved through support this has been addressed in the current maintenance release MR1-1, if your appliance is not seeing the update firmware as an option you can download it via your MySophos Portal Account.

    Details on the maintenance release can be found at https://community.sophos.com/products/xg-firewall/b/xg-blog/archive/2016/02/29/sfos-15-01-0-398-mr-1-1-released

    Thanks,

    Leon

    I've updated to this latest firmware and I'm still unable to edit the information for the default cert so that I can then create a self-signed certificate. When I update the information and click save, I get an error that it is unable to be generated. After that, it does allow me to create a self signed cert, but when I reboot the firewall, the web proxy and a  few other services will not start. 

    I've factory reset several times, downgraded, and upgraded a few times without success. 

    I'm unable to use the device with this bug. 

  • Hi Ryan,

    Thanks for the update, yes this issue means you cannot configure the SSL VPN.

    I have edited my original update to clarify to clarify some detail, however the fix included in MR1-1 impacts the migration process. If you have already migrated the appliance you will need to reach out to support for it to be fixed back end.

    My experience is that if you had this issue after migrating to the SF-OS platform. You could factory reset the appliance and program it as new under SF-OS and this should not be an issue, however if you are still experiencing it please reach out to support and they can work the problem with you.

    If you don't have the support contact details to hand, please check the following link: https://www.sophos.com/en-us/support/contact-support.aspx

    Thanks,


    Leon

    Leon Friend

    Sophos Sales Engineer

    Sophos XG Firewall - Certified Architect, Sophos Certified Engineer, Cyberoam CCNSE, Cyberoam CCNSP