Question regarding XG-CA Certificate error (Ubuntu Server)

Hi,

I want to setup a linux web server in my DMZ and I configured SSL/TLS Inspection and Malware scanning in the XG firewall.
I imported the SecurityAppliance_SSL_CA of my XG firewall and installed it as .crt file at /usr/local/share/ca-certificate.
Finally I ran sudo update-ca-certificates.

When trying to download some files via wget, e.g lynis (a system hardening tool), this happens:

root@srv-prod-web01:~# wget https://downloads.cisofy.com/lynis/lynis-2.7.5.tar.gz
--2020-01-03 13:25:18--  downloads.cisofy.com/.../lynis-2.7.5.tar.gz
Resolving downloads.cisofy.com (downloads.cisofy.com)... 37.97.194.171, 2a01:7c8:aac2:37b::1
Connecting to downloads.cisofy.com (downloads.cisofy.com)|37.97.194.171|:443... connected.
ERROR: cannot verify downloads.cisofy.com's certificate, issued by ‘emailAddress=support@sophos.com,CN=Sophos SSL CA_C01001DDKVHBW02,OU=NSG,O=Sophos,ST=Oxfordshire,C=GB’:
  Unable to locally verify the issuer's authority.
To connect to downloads.cisofy.com insecurely, use `--no-check-certificate'.

Trying to download it via firefox the cerficate seems valid and trusted.
I don't want to use --no-check-certificate and just don't get the clue what's missing or why it isn't working...
Maybe some tech guru can help me out here...

The SSL/TLS Inspection seems to work fine and does not drop any packet.

Using Ubuntu 18.04.3 LTS and XG SFVH (SFOS 18.0.0 EAP2) here.

Parents Reply Children
  • So in general, do you recommend securing DMZ servers with SSL/TLS Inspection or not?
    I just want to know how it should be common practice in the industry, because as a student I want to bring this knowledge into my work. :)

    Cheers,
    Leon

    Intrusus
    Sophos Certified Engineer | Sophos Certified Technician

    private lab:
    XG firewall with SFOS 20.X running on Proxmox

    If a post solves your question use the 'Verify Answer' link