Hi,
I want to setup a linux web server in my DMZ and I configured SSL/TLS Inspection and Malware scanning in the XG firewall.
I imported the SecurityAppliance_SSL_CA of my XG firewall and installed it as .crt file at /usr/local/share/ca-certificate.
Finally I ran sudo update-ca-certificates.
When trying to download some files via wget, e.g lynis (a system hardening tool), this happens:
root@srv-prod-web01:~# wget https://downloads.cisofy.com/lynis/lynis-2.7.5.tar.gz--2020-01-03 13:25:18-- downloads.cisofy.com/.../lynis-2.7.5.tar.gzResolving downloads.cisofy.com (downloads.cisofy.com)... 37.97.194.171, 2a01:7c8:aac2:37b::1Connecting to downloads.cisofy.com (downloads.cisofy.com)|37.97.194.171|:443... connected.ERROR: cannot verify downloads.cisofy.com's certificate, issued by ‘emailAddress=support@sophos.com,CN=Sophos SSL CA_C01001DDKVHBW02,OU=NSG,O=Sophos,ST=Oxfordshire,C=GB’: Unable to locally verify the issuer's authority.To connect to downloads.cisofy.com insecurely, use `--no-check-certificate'.
Trying to download it via firefox the cerficate seems valid and trusted.
I don't want to use --no-check-certificate and just don't get the clue what's missing or why it isn't working...
Maybe some tech guru can help me out here...
The SSL/TLS Inspection seems to work fine and does not drop any packet.
Using Ubuntu 18.04.3 LTS and XG SFVH (SFOS 18.0.0 EAP2) here.