This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Certificate Expiration Email

Hello,

   For the past couple of days I have been getting an email that 1 certificate will expire in the next 30 days:  B8C3B0C19BA3F1BE

I do not have any Lets Encrypt certificates set up, and I do not see this certificate when going to WebServer Protection > Certificate Management in the Certificates or Certificate Authorities tabs.  Does anyone know where I might be able to find this certificate?

Thank you in Advance,

Mike



This thread was automatically locked due to age.
Parents
  • Hi Mike,

    Please show a picture of the email message you're receiving.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Here is a screen shot of the email

  • NOTE 2021-10-28: Corrected name in _by_name commands below.

    OK, it's gotta be there somewhere.  Does the following command as root give you a result instead of 0?

        cc get_objects ca|grep 'B8C3B0C19BA3F1BE'

    If so, then try the following until you get a result:

        cc get_object_by_name ca http_verification_ca 'B8C3B0C19BA3F1BE'|grep \'issuer
        cc get_object_by_name ca host_cert 'B8C3B0C19BA3F1BE'|grep \'issuer
        cc get_object_by_name ca host_key_cert 'B8C3B0C19BA3F1BE'|grep \'issuer
        cc get_object_by_name ca meta_x509 'B8C3B0C19BA3F1BE'|grep \'issuer
        cc get_object_by_name ca signing_ca 'B8C3B0C19BA3F1BE'|grep \'issuer
        cc get_object_by_name ca verification_ca 'B8C3B0C19BA3F1BE'|grep \'issuer

    Please share your result.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Well I did get a result for the get_objects command, but no results for the get_object_by_name commands.  Here is a screenshot:

  • I would've thought it would be one of those, Mike.  Here's the complete list of all of the types of ca:

    crl            host_key_cert               rsa
    csr           http_verification_ca      signing_ca
    group       meta_crl                       verification_ca
    host_cert  meta_x509

    You might try the other ones...

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • I would've thought it would be one of those, Mike.  Here's the complete list of all of the types of ca:

    crl            host_key_cert               rsa
    csr           http_verification_ca      signing_ca
    group       meta_crl                       verification_ca
    host_cert  meta_x509

    You might try the other ones...

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • Good afternoon Bob.  I have tried all the other ca types you listed, but I am still getting the same results.

  • Strange!  The following command will list the entire cert for each and you should be able to pick the one out by the 'enddate' and get the 'type' at the bottom of that entry.

         cc get_objects ca|grep -B 8 -A 14 'B8C3B0C19BA3F1BE'

    HOLD THAT THOUGHT!  FACEPALM!  I just realized I used the wrong name in the get_object_by_name commands!  I had '83040476DC6B5D6F' instead of 'B8C3B0C19BA3F1BE'.  I've corrected that in my post above.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Looks like we got something on that run.  I still don't see that in Certificate Management, so obviously I am looking in the wrong place.

  • So it looks like this is the Proxy CA...

    Usually, the notification explicitly calls it the Proxy CA, so I wonder if this isn't an old one no longer in use.

    To confirm, run certificates in Windows, and open the MRM2 Inc Proxy CA in 'Certificates' in 'Trusted Root Certification Authorities' to confirm that it's about to expire.  If so, you might download the PEM of the Proxy CA on the 'HTTPS CAs' tab of Web Filtering and open it with Notepad to confirm that it's the same one in your Windows Certs.  If so, then [Regenerate] and install the new Procy CA on all clients.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Recently got a similar message from both nodes of a HA system.
    However this system has only a network protection license, so all fields in the web protection page are greyed out.
    How can I renew (or at least delete) the Proxy CA via CC and command line?

  • Well I do not happen to have it on this computer, and have checked a few of the servers.  But I did download the PEM and opened it with Notepad.  The Serial Number matches.  And I now have a clear date as to when it will drop dead.  

  • Just out of curiosity, would this be at all tied to any expiring licensing for Sophos?

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • Alan, ask your reseller for a 2-day demo license that includes Web Protection so that you can regenerate the Proxy CA.  Alternatively, you could open a Support ticket for them to fix this at the command line.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • No, I don't think so the dates between the Certificate and the license expiration are over a month apart, and the Certificate that I have expiring curiously was generated on the same day that I had to fix a CRL issue on my Certificate Authority servers.  But it looks like the Proxy CA was valid for 26 months.