This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Proxy CA certificate is expiring

Hi guys, since some days I'm getting this error on a Sophos UTM:

1 certificate(s) will expire within the next 30 days:
Proxy CA
 
--
System Uptime      : 4 days 14 hours 13 minutes
System Load        : 0.12
System Version     : Sophos UTM 9.501-5
 
The box was installed on 15 April 2014, I've never configured a "Proxy CA" or uploaded any custom or public certificates
 
If I look for "certificates" on UTM search box I can see just 3 certificates that expire on 2038
 
Local X509 Cert
WebAdmin certificate
admin (X509 User Cert)
 
Any advice on this issue guys? Thanks for help
 
Marco
 
 
 


This thread was automatically locked due to age.
Parents
  • Marco, the Proxy CA is created automatically when you first install the UTM.  You can download that on the 'Proxy CAs' tab of 'Web Protection >> Filtering Options'.  It's strange that it would be within 30 days of expiration, so I bet that's a bug in 9.501 and that there's really nothing wrong.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hello!

    Are you familiar if this is really a bug and if it is present in 9.502 because: 

     

    1 certificate(s) will expire within the next 30 days:

    Proxy CA

    --

    System Uptime      : 0 days 8 hours 8 minutes

    System Load        : 0.37

    System Version     : Sophos UTM 9.502-4

    Please refer to the manual for detailed instructions.

     

    Regards, Miha

  • This appears to be a design change, Miha, and it wasn't very well publicized.  If you're getting this message, you do need to go to the 'HTTPS CAs' tab of 'Filtering Options', [Regenerate], [Download] and then distribute to all users.  See section 5A/B of Configuring HTTP/S proxy access with AD SSO.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I'm afraid that there is currently a bug that has something to do with the Proxy CA.

    Yesterday I got that message on one UTM. I logged into it and checked the Certificate under Web Protection / Filtering Options / HTTPS CAs. I downloaded it and checked the lifetime, it would expire at the end of the month. OK, clicked the "Regenerate" Button and the new certificate is valid until 2020. Everything seemed to be fine.

    Today I got the same message again, complaining the Proxy CA will expire within the next 30 days. Checked http://passthrough.fw-notify.net/cacert.pem at the customer, new certificate that is valid until 2020 is downloaded. Checked Web Protection options again, same same...


    Where does the info about the expiring certificate come from? Like described here https://community.sophos.com/kb/en-us/126962 I followed the instructions and can see the old certificate that will expire in a few days.

    In my opinion the bug is that this old Proxy CA certificate isn't deleted while regenerating the new one. If that wasn't so in the past and is not a function the witrh 9.5 integrated SLL cert expiration check has to be adjusted to ignore unused certificates.

    The old certificate isn't shown anywhere in WebAdmin, can anyone help me finding it in the shell?

    Gruß / Regards,

    Kevin
    Sophos CE/CA (XG+UTM), Gold Partner

Reply
  • I'm afraid that there is currently a bug that has something to do with the Proxy CA.

    Yesterday I got that message on one UTM. I logged into it and checked the Certificate under Web Protection / Filtering Options / HTTPS CAs. I downloaded it and checked the lifetime, it would expire at the end of the month. OK, clicked the "Regenerate" Button and the new certificate is valid until 2020. Everything seemed to be fine.

    Today I got the same message again, complaining the Proxy CA will expire within the next 30 days. Checked http://passthrough.fw-notify.net/cacert.pem at the customer, new certificate that is valid until 2020 is downloaded. Checked Web Protection options again, same same...


    Where does the info about the expiring certificate come from? Like described here https://community.sophos.com/kb/en-us/126962 I followed the instructions and can see the old certificate that will expire in a few days.

    In my opinion the bug is that this old Proxy CA certificate isn't deleted while regenerating the new one. If that wasn't so in the past and is not a function the witrh 9.5 integrated SLL cert expiration check has to be adjusted to ignore unused certificates.

    The old certificate isn't shown anywhere in WebAdmin, can anyone help me finding it in the shell?

    Gruß / Regards,

    Kevin
    Sophos CE/CA (XG+UTM), Gold Partner

Children