This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

No Luck Using a SSL Certificate with WebAdmin/User Portal

Short Version:
————————
I am unable to successfully install a publicly signed SSL certificate and along with it’s intermediate certificate for use in WebAdmin and the User Portal. 

After installation only some browsers (Safari & Chrome on OS X) show it as trusted. Others (Firefox on OS X, Safari on iOS, Chrome on Android, etc.) show it as untrusted.

Can anyone provide guidance?


Long Version:
————————
Following the KB articles at:
Create and Import a Public Signed Certificate for UTM Web Application Security
How to import and use your own certificate for WebAdmin in Astaro Security Gateway

I created a private key and corresponding CSR and submitted it for a UCC certificate with 20 SAN’s.

Using openssl I combined the resulting certificate and my private key in to a [FONT="Courier New"]p12[/FONT] file.  I uploaded it to the UTM (Remote Access > Certificate Management > Certificate > + New certificate), along with the Intermediate certificate previously converted from a crt to pem using openssl (Remote Access > Certificate Management > Certificate > Certificate Authority).  

I then selected the cert (Managment > WebAdmin Settings HTTPS Certificate > Choose WebAdmin/User Portal Certificate).

When testing across browsers Safari and Chrome show the certificate as trusted/verified.  However, iOS, Android, Firefox, etc. do not.

When verifying via openssl with the command:

[FONT="Courier New"]openssl s_client -showcerts -connect mywebadmin.mydomain.com.au:443[/FONT]

I get the error:

[FONT="Courier New"]Verify return code: 21 (unable to verify the first certificate)[/FONT]

Only the primary domain certificate is listed; not the intermediate or the root, so there appears to be no chain of trust.  It would appear that most likely the browsers that work are assembling the chain of trust from their own keystones???

Using the exact same [FONT="Courier New"]p12[/FONT] on other servers works perfectly fine.  Browsers accept and openssl (which I am assuming does not have  a keystore) verify it as fine displaying the full chain of trust.  I have tried adding the complete trust chain (primary domain + intermediate CA + root CA)  to the certificate to no avail.  From what I can tell the intermediate CA is not being presented to clients, only the primary.  But I'm a noob when it comes to SSL.

Any suggestions on fixing?


This thread was automatically locked due to age.
Parents
  • You are exactly right.   You have done nothing wrong.   This is a known bug in UTM.

    I opened a support ticket, which was escalated to Level 2.  This is a portion of his response:

                   "This behavior on the Webadmin / User Portal is known to us and is being looked at by Dev."

    He proposed a workaround, which involves manipulating .pem files with OpenSSL and then using ssh to replace a certificates in a key folder.

    I had some concerns about implementing his suggestion, and the ticket was closed because I did not follow up in a timely manner.  

    I was not too worried about it because I had only seen the problem using the SSL Labs tester, not an actual browser.  

    Since you report that Apple systems will be more particular, I will need to reopen the issue with Sophos.

    However, I don't think Sophos would appreciate a minimally-supported hack being re-posted to this forum, so I will not post the fix even if I get it working.

    I recommend pursuing this with Sophos Support, realizing that you will need to claw your way to Level 2.

  • The fix has already been discovered and posted in this thread by Robert Yount on Oct 7 2016, unfortunately it doesn't survive a reboot of the UTM. If there's another way that persists after reboots, I think it would be useful to share for others. I ended up just throwing the webadmin & portal behind HAProxy which handles the TLS termination of my other sites.

  • The fix posted by PaTmaN93 earlier in this thread survives a reboot.  I have tested and confirmed this is true.  We are now waiting to hear back to see if this fix invalidates the warranty on your UTM.

    -------------------------------

    Interesting [in-ter-uh-sting, -truh-sting, -tuh-res-ting]

    A word typically used by IT technicians to describe an issue they didn't expect, or never encountered, and don't know how to fix.

Reply
  • The fix posted by PaTmaN93 earlier in this thread survives a reboot.  I have tested and confirmed this is true.  We are now waiting to hear back to see if this fix invalidates the warranty on your UTM.

    -------------------------------

    Interesting [in-ter-uh-sting, -truh-sting, -tuh-res-ting]

    A word typically used by IT technicians to describe an issue they didn't expect, or never encountered, and don't know how to fix.

Children