Hi guys, since some days I'm getting this error on a Sophos UTM:
This thread was automatically locked due to age.
Hi guys, since some days I'm getting this error on a Sophos UTM:
Marco, the Proxy CA is created automatically when you first install the UTM. You can download that on the 'Proxy CAs' tab of 'Web Protection >> Filtering Options'. It's strange that it would be within 30 days of expiration, so I bet that's a bug in 9.501 and that there's really nothing wrong.
Cheers - Bob
Hello!
Are you familiar if this is really a bug and if it is present in 9.502 because:
1 certificate(s) will expire within the next 30 days:
Proxy CA
--
System Uptime : 0 days 8 hours 8 minutes
System Load : 0.37
System Version : Sophos UTM 9.502-4
Please refer to the manual for detailed instructions.
Regards, Miha
This appears to be a design change, Miha, and it wasn't very well publicized. If you're getting this message, you do need to go to the 'HTTPS CAs' tab of 'Filtering Options', [Regenerate], [Download] and then distribute to all users. See section 5A/B of Configuring HTTP/S proxy access with AD SSO.
Cheers - Bob
I'm afraid that there is currently a bug that has something to do with the Proxy CA.
Yesterday I got that message on one UTM. I logged into it and checked the Certificate under Web Protection / Filtering Options / HTTPS CAs. I downloaded it and checked the lifetime, it would expire at the end of the month. OK, clicked the "Regenerate" Button and the new certificate is valid until 2020. Everything seemed to be fine.
Today I got the same message again, complaining the Proxy CA will expire within the next 30 days. Checked http://passthrough.fw-notify.net/cacert.pem at the customer, new certificate that is valid until 2020 is downloaded. Checked Web Protection options again, same same...
Where does the info about the expiring certificate come from? Like described here https://community.sophos.com/kb/en-us/126962 I followed the instructions and can see the old certificate that will expire in a few days.
In my opinion the bug is that this old Proxy CA certificate isn't deleted while regenerating the new one. If that wasn't so in the past and is not a function the witrh 9.5 integrated SLL cert expiration check has to be adjusted to ignore unused certificates.
The old certificate isn't shown anywhere in WebAdmin, can anyone help me finding it in the shell?
Gruß / Regards,
Kevin
Sophos CE/CA (XG+UTM), Gold Partner
I'm afraid that there is currently a bug that has something to do with the Proxy CA.
Yesterday I got that message on one UTM. I logged into it and checked the Certificate under Web Protection / Filtering Options / HTTPS CAs. I downloaded it and checked the lifetime, it would expire at the end of the month. OK, clicked the "Regenerate" Button and the new certificate is valid until 2020. Everything seemed to be fine.
Today I got the same message again, complaining the Proxy CA will expire within the next 30 days. Checked http://passthrough.fw-notify.net/cacert.pem at the customer, new certificate that is valid until 2020 is downloaded. Checked Web Protection options again, same same...
Where does the info about the expiring certificate come from? Like described here https://community.sophos.com/kb/en-us/126962 I followed the instructions and can see the old certificate that will expire in a few days.
In my opinion the bug is that this old Proxy CA certificate isn't deleted while regenerating the new one. If that wasn't so in the past and is not a function the witrh 9.5 integrated SLL cert expiration check has to be adjusted to ignore unused certificates.
The old certificate isn't shown anywhere in WebAdmin, can anyone help me finding it in the shell?
Gruß / Regards,
Kevin
Sophos CE/CA (XG+UTM), Gold Partner
Update: the problem still exists :(
I can now say when it is definately happening: I recently exchanged a UTM120 to a SG115 by downloading/restoring the config.
I opened a case with our distributor when it happened last time. The problem is known and even if renewing the Proxy CA certificate the UTM will daily notify about the expiring certificate. But - at least as I asked them - there seems no way to delete the old certificate that is not even used anymore...
Regards,
Kevin
Sophos CE/CA (XG, UTM, Central Endpoint)
Gold Partner
I no longer get emailed, but I am not sure what I did to resolve it.
I know I did several things;
Thanks. I've opened a ticket with support and they are going to take a look.
I was able to generate a new cert. Seemed to only happen on SG115's for me.
The certificate re-creation was never a problem, but the mail concerning about certificate expiring soon was sent further.
After the expiring date it stopped. Maybe they fixed it with some updates.
Gruß / Regards,
Kevin
Sophos CE/CA (XG+UTM), Gold Partner