You are exactly right. You have done nothing wrong. This is a known bug in UTM.
I opened a support ticket, which was escalated to Level 2. This is a portion of his response:
"This behavior on the Webadmin / User Portal is known to us and is being looked at by Dev."
He proposed a workaround, which involves manipulating .pem files with OpenSSL and then using ssh to replace a certificates in a key folder.
I had some concerns about implementing his suggestion, and the ticket was closed because I did not follow up in a timely manner.
I was not too worried about it because I had only seen the problem using the SSL Labs tester, not an actual browser.
Since you report that Apple systems will be more particular, I will need to reopen the issue with Sophos.
However, I don't think Sophos would appreciate a minimally-supported hack being re-posted to this forum, so I will not post the fix even if I get it working.
I recommend pursuing this with Sophos Support, realizing that you will need to claw your way to Level 2.
The fix has already been discovered and posted in this thread by Robert Yount on Oct 7 2016, unfortunately it doesn't survive a reboot of the UTM. If there's another way that persists after reboots, I think it would be useful to share for others. I ended up just throwing the webadmin & portal behind HAProxy which handles the TLS termination of my other sites.
The fix posted by PaTmaN93 earlier in this thread survives a reboot. I have tested and confirmed this is true. We are now waiting to hear back to see if this fix invalidates the warranty on your UTM.
-------------------------------
Interesting [in-ter-uh-sting, -truh-sting, -tuh-res-ting]
A word typically used by IT technicians to describe an issue they didn't expect, or never encountered, and don't know how to fix.
it is a safe bet that if you fiddle with CC, you give them the option of saying that you made a typing mistake while implementing your fix. To avoid the argument, don't tell them what you have done. Level 1 isn't likely to know how to use CC, and Level 2 and higher will hopefully be reasonable.
it is a safe bet that if you fiddle with CC, you give them the option of saying that you made a typing mistake while implementing your fix. To avoid the argument, don't tell them what you have done. Level 1 isn't likely to know how to use CC, and Level 2 and higher will hopefully be reasonable.
Just make sure you create & download a backup from the UTM first. There's a procedure to re-image the whole thing just in case.
Speaking from experience, I completely agree. Going through the process, I ended up locking myself out. Luckily I DID make a backup just prior to the change, and downloaded it off of the UTM.
-------------------------------
Interesting [in-ter-uh-sting, -truh-sting, -tuh-res-ting]
A word typically used by IT technicians to describe an issue they didn't expect, or never encountered, and don't know how to fix.
That's something that may not happen here, as it's our only gateway.
I got a reply from Sophos Support, telling me that they are just doing 2nd level and I shall go through my reseller.
That's something I'm not going to do, as they would just charge me a huge amount of money...
If anybody else has a ticket open, let's keep hope that gets fixed through updates at some point!