This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

9.715, fw-notify.net not reachable after regenerating signing CA cert

Running 9.715

My HTTPS signing CA cert was due to expire in the next 30 days so I regenerated the cert: Web Protection / Filtering Options / HTTPS CAs / Regenerate

After doing this internal hosts were not able to retrieve the new cert from http://passthrough.fw-notify.net/cacert.pem, connections time out

I have done the following but nothing resolves the issue:

1) Uploaded the original cert to the UTM

2) Didn't find any clues in the logs

3) Regenerated another new cert

4) Rebooted

5) Waited overnight for some magic to happen... ;-}

At this point I'm stumped and am looking for help to resolve this.

--Larry

This thread was automatically locked due to age.

Top Replies

Fahnoe over 1 year ago +2 verified

I just rolled back to 9.714 and found that the same timeout on http://passthrough.fw-notify.net/cacert.pem which was not what I was expecting. Turns out that the system I was using to test pulling the…

0 BAlfson over 1 year ago

What does Sophos Support say about this, Larry?

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 Fahnoe over 1 year ago in reply to BAlfson

Hi Bob,

Perhaps I should have stated this at the outset, but I am a home user so do not have a support contract.

--Larry
Cancel
Vote Up 0 Vote Down

Cancel
0 Fahnoe over 1 year ago

Status update:

Have restored the last backup prior to regenerating the CA cert and then rebooted. Tested retrieving the CA cert via URL above, both after the restore and the reboot. Connection to the UTM still times out.

The backup that was restored was made at the time of the update from 9.714 to 9.715 for what that's worth.

As mentioned in my reply to Bob Alfson, as a home user I do not have a support contract. That said, I would appreciate any assistance that Sophos support may offer.

--Larry
Cancel
Vote Up 0 Vote Down

Cancel
0 Jay Jay over 1 year ago in reply to Fahnoe

What happens if you go back to 9.714?

Personally I never jump on updates as soon as they're released. Usually 3-6 months after if no issues.
Cancel
Vote Up 0 Vote Down

Cancel
0 Fahnoe over 1 year ago in reply to Jay Jay

I have not tried to roll back to 9.714, I've never had to roll back a UTM release (a testament to Sophos QA) so don't know the procedure. Unless I'm mistaken, the up2date packages are only designed to go forward.
Cancel
Vote Up 0 Vote Down

Cancel
0 Jay Jay over 1 year ago in reply to Fahnoe

Save the latest 9.714 config file to somewhere else and reinstall the iso.

If I were running this bare metal, I would make create a system backup image (acronis, clonezilla, etc..) before applying any updates.

Should be standard procedure to make backup of some sort before installing updates....
Cancel
Vote Up 0 Vote Down

Cancel
0 Fahnoe over 1 year ago in reply to Jay Jay

Thanks for the confirmation, that's what I expected the roll-back to require.

--Larry
Cancel
Vote Up 0 Vote Down

Cancel
+1 Fahnoe over 1 year ago

I just rolled back to 9.714 and found that the same timeout on http://passthrough.fw-notify.net/cacert.pem which was not what I was expecting. Turns out that the system I was using to test pulling the new CA cert was routing through a *different* firewall which didn't know anything about Sophos' fw-notify.net...

So, this is clearly a self-inflicted wound. I am sorry to have wasted anyone's time on it.

--Larry
Cancel
Vote Up +2 Vote Down

Cancel