This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Invalid Certificate Error

 Hello,

Recently we have been running in to issues where users are unable to access websites that were previously available to them. The error they are receiving is NET:ERR_CERT_AUTHROITY_INVALID. This started shortly after we upgrade from Chrome 58 to 63. We originally thought the jump in version was to blame, but after rolling back we are still having the same issue. The issue is also present in Internet Explorer. It seems to be flagging random websites such as Facebook, CNN, and other HTTPS enabled sites but it is totally random. Users are reporting the certificate issue in the morning but if they wait for a while it may or not load the page a few minutes later. The sites are not consistent either. Some users have never had the issue and others have it every day. The certificate it is pointing to is the Signing CA under Filtering Options > HTTPS CAs. We are not using decrypt and scan, however the browsers are using our Signing CA as the certificate for valid websites. When the pages finally load they show the proper certificate. We do use a proxy on all of our computers that go through the UTM.

At the request of Sophos tech support we downloaded the certificate from our UTM and pushed it to all users via GPO but that did not make a difference. It is my understanding that we should only need to do that if we are using decrypt and scan. He also has me restart the appliances in an attempt to get them to resynch. I enabled and disabled Decrypt and Scan hoping it might trigger something in the system to stop scanning. This has been going on for over a week and the support tech we are using has not been able to resolve the issue so I was hoping somebody here may have seen and corrected this issue before. 

 

Thanks in advance,

Dustin



This thread was automatically locked due to age.
Parents
  • We've been having this problem for about a week now but when it started was very few people and random.  This week it's been everyone in the company and unless I turn off the 'Do not proxy HTTPs traffic in transparent mode', secure sites are failing in every case.  We've installed our cert on the UTM and had it assigned to be used for the signing CA for years, but now all of a sudden problems galore - and nothing has changed on the UTM outside of adding some site-site vpn setups.

  • Hey hgriffith.

    "This week it's been everyone in the company and unless I turn off the 'Do not proxy HTTPs traffic in transparent mode', secure sites are failing in every case"

    By "turn off" I take it that when you untick the box "Do not proxy HTTPs traffic in transparent mode", meaning you are proxying HTTPS, you don't have the issue. So, to be clear, when you DO proxy HTTPS through the proxy you DO NOT see the certificate error? 

    Regards,

    Giovani

  • Apologies.  If I tick the box to bypass proxy, it works.  In other words if I don't proxy https it works.

  • Could you show us some screenshots of the error in Chrome, the information about the certificate at the client side and your HTTPS CA configuration from Web Protection?

    Regards,

    Giovani

  • Yes, I'll upload those later today after most users leave for the day.  Don't want to interrupt their use while it's working.

  • You need to get certainty about what certificates Chrome is seeing.   Click through the warning to let the web page load, then use

    (menu)... More Tools... Developer Tools... >> (if Security tab is not visible)... Security (tab)... [View Certificates] (button)

    Probably the most important is the Certificate Path.  Click on each certificate to see if it says "Certificate is OK".   Click on the root certificate and choose the [View Certificate] button to see the properties window for the root.  Compare all of the details to the root certificate that you are expecting.     Also check the signature algorithm, expiration, and SAN names for each certificate.   

    Have you ever replaced your CA root?   I can imagine two possibilities if you did:   (a) UTM is sometimes sending the old root instead of the new one, and the solution would be for Support to scrub the old one out of the system.   (b) The client does not have the current root installed properly.

    Desparate times call for desparate measures.  Another option:

    If you have been running UTM for a long time and performing only incremental upgrades, you might consider rebuilding the system from the newest CD distribution, then restoring your configuration from a backup.   It ensures a clean configuration.   I was unhappily forced to do so when upgrading from 9.408 to 9.506, but was happy with the end result.   The process only took about an hour, much less than waiting for the individual patches to be applied.   I bypassed all of the bad versions, so I finished with a cleaner build with less space used than if the incremental process had worked correctly.

  • Update on this, but first some detail.  We have 27 SG's in production and all are for the most part configured identical.  So this was driving me crazy that only one unit was having this problem, but happen to be the one at HQ with 500 users.  Anyway, we have all of them set for Web Filtering with some policies, but on the HTTPS tab we're only doing 'URL filtering only'.  No decrypt and scan.  As far as I know since UTM 9.2, the UTM CA doesn't need to be installed on our machines for blocking of HTTPS sites.  I understand it won't catch the content and just block URLs but anyway...  I checked, double checked and tripled check all settings against a sister appliance to make sure I didn't accidentally change something - couldn't find any reason as to why it wasn't working.  The only difference was that the others had only been up for 7-30 days and this one had an uptime of 67 days.  Really shouldn't be a problem but I figured wth, let's reboot it.  ~Viola - starts working.  Go figure, the simplest option solves it.  Cannot tell you why, even looking at logs didn't show anything relevant.

    To answer DouglasFoster suggestions - since we were not using the decrypt and scan option, the CA Root issue didn't apply so I didn't do anything with that; and we have never imported the UTM CA into our machines manually or by GPO.  But I did check the cert that was being passed to the browser (Chrome, IE and Firefox all showed the error) and it was showing our Proxy CA as the cert.  Which is strange because it should not have being configured as I mentioned above.  So the UTM appeared to be acting like it was set for Decrypt and Scan, but it wasn't.

Reply
  • Update on this, but first some detail.  We have 27 SG's in production and all are for the most part configured identical.  So this was driving me crazy that only one unit was having this problem, but happen to be the one at HQ with 500 users.  Anyway, we have all of them set for Web Filtering with some policies, but on the HTTPS tab we're only doing 'URL filtering only'.  No decrypt and scan.  As far as I know since UTM 9.2, the UTM CA doesn't need to be installed on our machines for blocking of HTTPS sites.  I understand it won't catch the content and just block URLs but anyway...  I checked, double checked and tripled check all settings against a sister appliance to make sure I didn't accidentally change something - couldn't find any reason as to why it wasn't working.  The only difference was that the others had only been up for 7-30 days and this one had an uptime of 67 days.  Really shouldn't be a problem but I figured wth, let's reboot it.  ~Viola - starts working.  Go figure, the simplest option solves it.  Cannot tell you why, even looking at logs didn't show anything relevant.

    To answer DouglasFoster suggestions - since we were not using the decrypt and scan option, the CA Root issue didn't apply so I didn't do anything with that; and we have never imported the UTM CA into our machines manually or by GPO.  But I did check the cert that was being passed to the browser (Chrome, IE and Firefox all showed the error) and it was showing our Proxy CA as the cert.  Which is strange because it should not have being configured as I mentioned above.  So the UTM appeared to be acting like it was set for Decrypt and Scan, but it wasn't.

Children
  • As I indicated on Feb 13, you SHOULD distribute your UTM CA Certificate, because it is needed for Block and Warn pages  (anytime an HTTPS site is blocked or warned, even with inspection disabled.

    Apparently your UTM had a memory corruption, which was cleared by the reboot.  Either it tried to block/warn but had a problem with the block/warn page so it displayed the target page anyway, or as you suggested, it thought https inspection was supposed to be on for that site.   Given that you randomness was between display-normal and display-with-CA-cert, the latter probably fits the scenario better.

  • Understood.  How it operates makes sense and we've known that. However, for us we're willing to have the error on a blocked site because in reality if it's blocked more than likely it's something they shouldn't be visiting.  Given our environment, it works best for us.  Another situation for us is our number of wifi guest networks that pass through our UTMs at all different locations that we want some filtering on.  The option of passing out a CA is not an option at all given the wide array of phones, tablets and BYOD devices hitting the guest networks.

    But thanks to everyone who piped in.  Another reason I use Sophos - the community.