Question regarding XG-CA Certificate error (Ubuntu Server)

Hi,

I want to setup a linux web server in my DMZ and I configured SSL/TLS Inspection and Malware scanning in the XG firewall.
I imported the SecurityAppliance_SSL_CA of my XG firewall and installed it as .crt file at /usr/local/share/ca-certificate.
Finally I ran sudo update-ca-certificates.

When trying to download some files via wget, e.g lynis (a system hardening tool), this happens:

root@srv-prod-web01:~# wget https://downloads.cisofy.com/lynis/lynis-2.7.5.tar.gz
--2020-01-03 13:25:18--  downloads.cisofy.com/.../lynis-2.7.5.tar.gz
Resolving downloads.cisofy.com (downloads.cisofy.com)... 37.97.194.171, 2a01:7c8:aac2:37b::1
Connecting to downloads.cisofy.com (downloads.cisofy.com)|37.97.194.171|:443... connected.
ERROR: cannot verify downloads.cisofy.com's certificate, issued by ‘emailAddress=support@sophos.com,CN=Sophos SSL CA_C01001DDKVHBW02,OU=NSG,O=Sophos,ST=Oxfordshire,C=GB’:
  Unable to locally verify the issuer's authority.
To connect to downloads.cisofy.com insecurely, use `--no-check-certificate'.

Trying to download it via firefox the cerficate seems valid and trusted.
I don't want to use --no-check-certificate and just don't get the clue what's missing or why it isn't working...
Maybe some tech guru can help me out here...

The SSL/TLS Inspection seems to work fine and does not drop any packet.

Using Ubuntu 18.04.3 LTS and XG SFVH (SFOS 18.0.0 EAP2) here.

Parents
  • Hi intrusus, thanks for testing this feature and your feedback.

     

    I reproduced the issue you are seeing here and can confirm that adding a Manual TLS Exception for cisofy.com will resolve the issue you have.

     

    The site is probably using cert pinning and so will never allow the decryption using a self signed CA cert.

    Best

    Stuart

  • Unknown said:
    The site is probably using cert pinning and so will never allow the decryption using a self signed CA cert.

    Hi Stuart,

    but won't it be the same on many other sites? After all, the solution to the problem cannot be to keep on adding any exceptions, can it?

    Intrusus
    Sophos Certified Engineer | Sophos Certified Technician

    private lab:
    XG firewall with SFOS 20.X running on Proxmox

    If a post solves your question use the 'Verify Answer' link

Reply
  • Unknown said:
    The site is probably using cert pinning and so will never allow the decryption using a self signed CA cert.

    Hi Stuart,

    but won't it be the same on many other sites? After all, the solution to the problem cannot be to keep on adding any exceptions, can it?

    Intrusus
    Sophos Certified Engineer | Sophos Certified Technician

    private lab:
    XG firewall with SFOS 20.X running on Proxmox

    If a post solves your question use the 'Verify Answer' link

Children