Advisory: Support Portal Maintenance. Login is currently unavailable, more info available here.
We've Sophos UTM 9 running on SG230, with Firmware Version: 9.600-5
Error Messages: 1 certificate(s) will expire within the next 30 days:
Site-to-Site vpn has 4 active tunnels
We've redeployed Webadmin/User portal certificate, but we find the message will be email to the engineering staff the next morning with the following message "1 certificate(s) will expire within the next 30 days: Proxy CA".
Would appreciate help with this re-occurring message.
The Proxy CA is the root certificate used to impersonate other websites. It is used for all https-inspection and for block/warn on https sites even when https inspection is off.
That certificate needs to be regenerated, because it expires (I think every 4 years).
To minimize downtime, a clever system manager used this process and posted it to this forum:
Dear Douglas Foster,
The info you've sent on the community blog was very helpful and I carried out some of the task you suggested but with a small difference.
The backups are done every evening so I didn't need to worry about doing another backup.
1. I logged onto the UTM and selected Web Protection -> Filtering options -> HTTPS CAs -> Download ->Export as PKCS#12
2. Once the certificate was down loaded I checked the certificate date. If the date showed the certificate was about to expire I carried out step 3.
3. I regenerated the CA, once regenerated I download the certificate and confirm the expire date was extended.
By running this process the problem as now been resolved.
Once again thanks for your input.
Yes. but then you need to push the new root certificate to all your devuces.
Instead of backup and restore the UTM config, I did the following which should reduce the down time of the UTM (web filtering):
When the existing cert. is still valid:
After some time and before the existing cert expires:
The down time (web filtering) should within 1-2 minute.
I made this same suggestion to a client last month. For some reason, he then had to reboot his appliance in order to get the new cert recognized after uploading it. If anyone has a similar problem, I would first try:
If you see this and try that, please report your result here.
Cheers - Bob
Checked on my testing vm certificate upload should auto restart the web proxy service.
Log message can be found in Web Filtering Log:
2019:01:29-09:23:37 utm02 httpproxy: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="main" file="httpproxy.c" line="404" message="shutdown finished, exiting"
2019:01:29-09:24:00 utm02 httpproxy: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="main" file="httpproxy.c" line="360" message="finished startup"
Right, James, but that's still my recommendation and I would like to know if it makes any difference to anyone or if a complete reboot was needed and was successful.
Yep, this worked for me. i read an article on techwhoop.com , you can refer to it !