Running 9.715
My HTTPS signing CA cert was due to expire in the next 30 days so I regenerated the cert: Web Protection / Filtering Options / HTTPS CAs / Regenerate
After doing this internal hosts were not able to retrieve the new cert from http://passthrough.fw-notify.net/cacert.pem, connections time out
I have done the following but nothing resolves the issue:
1) Uploaded the original cert to the UTM
2) Didn't find any clues in the logs
3) Regenerated another new cert
4) Rebooted
5) Waited overnight for some magic to happen... ;-}
At this point I'm stumped and am looking for help to resolve this.
--Larry
What does Sophos Support say about this, Larry?
Cheers - Bob
Hi Bob,
Perhaps I should have stated this at the outset, but I am a home user so do not have a support contract.
Status update:
Have restored the last backup prior to regenerating the CA cert and then rebooted. Tested retrieving the CA cert via URL above, both after the restore and the reboot. Connection to the UTM still times out.
The backup that was restored was made at the time of the update from 9.714 to 9.715 for what that's worth.
As mentioned in my reply to Bob Alfson, as a home user I do not have a support contract. That said, I would appreciate any assistance that Sophos support may offer.
What happens if you go back to 9.714?
Personally I never jump on updates as soon as they're released. Usually 3-6 months after if no issues.
I have not tried to roll back to 9.714, I've never had to roll back a UTM release (a testament to Sophos QA) so don't know the procedure. Unless I'm mistaken, the up2date packages are only designed to go forward.
Save the latest 9.714 config file to somewhere else and reinstall the iso.
If I were running this bare metal, I would make create a system backup image (acronis, clonezilla, etc..) before applying any updates.
Should be standard procedure to make backup of some sort before installing updates....
Thanks for the confirmation, that's what I expected the roll-back to require.
I just rolled back to 9.714 and found that the same timeout on http://passthrough.fw-notify.net/cacert.pem which was not what I was expecting. Turns out that the system I was using to test pulling the new CA cert was routing through a *different* firewall which didn't know anything about Sophos' fw-notify.net...
So, this is clearly a self-inflicted wound. I am sorry to have wasted anyone's time on it.