Proxy CA certificate is expiring

Marco, the Proxy CA is created automatically when you first install the UTM.  You can download that on the 'Proxy CAs' tab of 'Web Protection >> Filtering Options'.  It's strange that it would be within 30 days of expiration, so I bet that's a bug in 9.501 and that there's really nothing wrong.

Cheers - Bob

Hello!

Are you familiar if this is really a bug and if it is present in 9.502 because: 

1 certificate(s) will expire within the next 30 days:

Proxy CA

--

System Uptime      : 0 days 8 hours 8 minutes

System Load        : 0.37

System Version     : Sophos UTM 9.502-4

Please refer to the manual for detailed instructions.

Regards, Miha

This appears to be a design change, Miha, and it wasn't very well publicized.  If you're getting this message, you do need to go to the 'HTTPS CAs' tab of 'Filtering Options', [Regenerate], [Download] and then distribute to all users.  See section 5A/B of Configuring HTTP/S proxy access with AD SSO.

Cheers - Bob

I'm afraid that there is currently a bug that has something to do with the Proxy CA.

Yesterday I got that message on one UTM. I logged into it and checked the Certificate under Web Protection / Filtering Options / HTTPS CAs. I downloaded it and checked the lifetime, it would expire at the end of the month. OK, clicked the "Regenerate" Button and the new certificate is valid until 2020. Everything seemed to be fine.

Today I got the same message again, complaining the Proxy CA will expire within the next 30 days. Checked http://passthrough.fw-notify.net/cacert.pem at the customer, new certificate that is valid until 2020 is downloaded. Checked Web Protection options again, same same...

Where does the info about the expiring certificate come from? Like described here https://community.sophos.com/kb/en-us/126962 I followed the instructions and can see the old certificate that will expire in a few days.

In my opinion the bug is that this old Proxy CA certificate isn't deleted while regenerating the new one. If that wasn't so in the past and is not a function the witrh 9.5 integrated SLL cert expiration check has to be adjusted to ignore unused certificates.

The old certificate isn't shown anywhere in WebAdmin, can anyone help me finding it in the shell?

Kevin, I think you're right that this is a bug.

Cheers - Bob

Kevin, I think you're right that this is a bug.

Cheers - Bob

Is this considered 'resolved'?  I see the question is marked as answered but there appears to be a current bug.

I'm keen to have it resolved as turning off the notification seems the wrong option.

Update: the problem still exists :(

I can now say when it is definately happening: I recently exchanged a UTM120 to a SG115 by downloading/restoring the config.

I opened a case with our distributor when it happened last time. The problem is known and even if renewing the Proxy CA certificate the UTM will daily notify about the expiring certificate. But - at least as I asked them - there seems no way to delete the old certificate that is not even used anymore...

Anyone:

I have a customer SG115 that just now started emailing the Proxy CA expiring message.

Anything new here?

I no longer get emailed, but I am not sure what I did to resolve it.

I know I did several things;

• Regenerated certs in the web GUI
• Changed out all the certs for the regenerated ones
• Deleted all the obsoleted certs, CAs etc
• Used the info from kerobra above to identify the cert, using the SSH command line.
• Can't remember if I deleted a cert using the SSH command line?
• I think I restarted after the above, in order to ensure no old cert was being referenced

Thanks.  I've opened a ticket with support and they are going to take a look.

Has there been any update on this since a ticket was opened?  I started receiving the same emails earlier this week from our UTM.  We are running 9.509-3 on SG210s.

Thanks in advance

https://sophos.com/kb/126962

I was able to generate a new cert.  Seemed to only happen on SG115's for me.

The certificate re-creation was never a problem, but the mail concerning about certificate expiring soon was sent further.
After the expiring date it stopped. Maybe they fixed it with some updates.

Me too I'm having the same "issue", the mail warning is annoying