This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Proxy CA certificate is expiring

Hi guys, since some days I'm getting this error on a Sophos UTM:

1 certificate(s) will expire within the next 30 days:
Proxy CA
 
--
System Uptime      : 4 days 14 hours 13 minutes
System Load        : 0.12
System Version     : Sophos UTM 9.501-5
 
The box was installed on 15 April 2014, I've never configured a "Proxy CA" or uploaded any custom or public certificates
 
If I look for "certificates" on UTM search box I can see just 3 certificates that expire on 2038
 
Local X509 Cert
WebAdmin certificate
admin (X509 User Cert)
 
Any advice on this issue guys? Thanks for help
 
Marco
 
 
 


This thread was automatically locked due to age.
Parents
  • Marco, the Proxy CA is created automatically when you first install the UTM.  You can download that on the 'Proxy CAs' tab of 'Web Protection >> Filtering Options'.  It's strange that it would be within 30 days of expiration, so I bet that's a bug in 9.501 and that there's really nothing wrong.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hello!

    Are you familiar if this is really a bug and if it is present in 9.502 because: 

     

    1 certificate(s) will expire within the next 30 days:

    Proxy CA

    --

    System Uptime      : 0 days 8 hours 8 minutes

    System Load        : 0.37

    System Version     : Sophos UTM 9.502-4

    Please refer to the manual for detailed instructions.

     

    Regards, Miha

  • This appears to be a design change, Miha, and it wasn't very well publicized.  If you're getting this message, you do need to go to the 'HTTPS CAs' tab of 'Filtering Options', [Regenerate], [Download] and then distribute to all users.  See section 5A/B of Configuring HTTP/S proxy access with AD SSO.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I'm afraid that there is currently a bug that has something to do with the Proxy CA.

    Yesterday I got that message on one UTM. I logged into it and checked the Certificate under Web Protection / Filtering Options / HTTPS CAs. I downloaded it and checked the lifetime, it would expire at the end of the month. OK, clicked the "Regenerate" Button and the new certificate is valid until 2020. Everything seemed to be fine.

    Today I got the same message again, complaining the Proxy CA will expire within the next 30 days. Checked http://passthrough.fw-notify.net/cacert.pem at the customer, new certificate that is valid until 2020 is downloaded. Checked Web Protection options again, same same...


    Where does the info about the expiring certificate come from? Like described here https://community.sophos.com/kb/en-us/126962 I followed the instructions and can see the old certificate that will expire in a few days.

    In my opinion the bug is that this old Proxy CA certificate isn't deleted while regenerating the new one. If that wasn't so in the past and is not a function the witrh 9.5 integrated SLL cert expiration check has to be adjusted to ignore unused certificates.

    The old certificate isn't shown anywhere in WebAdmin, can anyone help me finding it in the shell?

    Gruß / Regards,

    Kevin
    Sophos CE/CA (XG+UTM), Gold Partner

  • Kevin, I think you're right that this is a bug.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Is this considered 'resolved'?  I see the question is marked as answered but there appears to be a current bug.

    I'm keen to have it resolved as turning off the notification seems the wrong option.

  • Update: the problem still exists :(

    I can now say when it is definately happening: I recently exchanged a UTM120 to a SG115 by downloading/restoring the config.

    I opened a case with our distributor when it happened last time. The problem is known and even if renewing the Proxy CA certificate the UTM will daily notify about the expiring certificate. But - at least as I asked them - there seems no way to delete the old certificate that is not even used anymore...

    Regards,

    Kevin

    Sophos CE/CA (XG, UTM, Central Endpoint)
    Gold Partner

  • Anyone:

    I have a customer SG115 that just now started emailing the Proxy CA expiring message.

    Anything new here?

  • I no longer get emailed, but I am not sure what I did to resolve it.

    I know I did several things;

    • Regenerated certs in the web GUI
    • Changed out all the certs for the regenerated ones
    • Deleted all the obsoleted certs, CAs etc
    • Used the info from kerobra above to identify the cert, using the SSH command line.
    • Can't remember if I deleted a cert using the SSH command line?
    • I think I restarted after the above, in order to ensure no old cert was being referenced
  • Thanks.  I've opened a ticket with support and they are going to take a look.

  • Has there been any update on this since a ticket was opened?  I started receiving the same emails earlier this week from our UTM.  We are running 9.509-3 on SG210s.

     

    Thanks in advance

Reply Children