Advisory: Sophos Endpoint "Your connection isn't private" after reboot. Policy settings can be returned to normal. See: KB-000045954 for the latest updates.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

9.715, fw-notify.net not reachable after regenerating signing CA cert

Running 9.715

My HTTPS signing CA cert was due to expire in the next 30 days so I regenerated the cert: Web Protection / Filtering Options / HTTPS CAs / Regenerate

After doing this internal hosts were not able to retrieve the new cert from http://passthrough.fw-notify.net/cacert.pem, connections time out

I have done the following but nothing resolves the issue:

1) Uploaded the original cert to the UTM

2) Didn't find any clues in the logs

3) Regenerated another new cert

4) Rebooted

5) Waited overnight for some magic to happen... ;-}

At this point I'm stumped and am looking for help to resolve this. 

--Larry



This thread was automatically locked due to age.
  • What does Sophos Support say about this, Larry?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    Perhaps I should have stated this at the outset, but I am a home user so do not have a support contract. 

    --Larry

  • Status update: 

    Have restored the last backup prior to regenerating the CA cert and then rebooted. Tested retrieving the CA cert via URL above, both after the restore and the reboot. Connection to the UTM still times out.

    The backup that was restored was made at the time of the update from 9.714 to 9.715 for what that's worth.

    As mentioned in my reply to Bob Alfson, as a home user I do not have a support contract. That said, I would appreciate any assistance that Sophos support may offer.

    --Larry

  • What happens if you go back to 9.714?

    Personally I never jump on updates as soon as they're released.  Usually 3-6 months after if no issues.

  • I have not tried to roll back to 9.714, I've never had to roll back a UTM release (a testament to Sophos QA) so don't know the procedure. Unless I'm mistaken, the up2date packages are only designed to go forward.

  • Save the latest 9.714 config file to somewhere else and reinstall the iso.

    If I were running this bare metal, I would make create a system backup image (acronis, clonezilla, etc..) before applying any updates.

    Should be standard procedure to make backup of some sort before installing updates....

  • Thanks for the confirmation, that's what I expected the roll-back to require.

    --Larry

  • I just rolled back to 9.714 and found that the same timeout on http://passthrough.fw-notify.net/cacert.pem which was not what I was expecting. Turns out that the system I was using to test pulling the new CA cert was routing through a *different* firewall which didn't know anything about Sophos' fw-notify.net...

    So, this is clearly a self-inflicted wound. I am sorry to have wasted anyone's time on it.

    --Larry