Proxy CA certificate is expiring

Marco, the Proxy CA is created automatically when you first install the UTM.  You can download that on the 'Proxy CAs' tab of 'Web Protection >> Filtering Options'.  It's strange that it would be within 30 days of expiration, so I bet that's a bug in 9.501 and that there's really nothing wrong.

Cheers - Bob

Hello!

Are you familiar if this is really a bug and if it is present in 9.502 because: 

1 certificate(s) will expire within the next 30 days:

Proxy CA

--

System Uptime      : 0 days 8 hours 8 minutes

System Load        : 0.37

System Version     : Sophos UTM 9.502-4

Please refer to the manual for detailed instructions.

Regards, Miha

Update: the problem still exists :(

I can now say when it is definately happening: I recently exchanged a UTM120 to a SG115 by downloading/restoring the config.

I opened a case with our distributor when it happened last time. The problem is known and even if renewing the Proxy CA certificate the UTM will daily notify about the expiring certificate. But - at least as I asked them - there seems no way to delete the old certificate that is not even used anymore...

Anyone:

I have a customer SG115 that just now started emailing the Proxy CA expiring message.

Anything new here?

I no longer get emailed, but I am not sure what I did to resolve it.

I know I did several things;

• Regenerated certs in the web GUI
• Changed out all the certs for the regenerated ones
• Deleted all the obsoleted certs, CAs etc
• Used the info from kerobra above to identify the cert, using the SSH command line.
• Can't remember if I deleted a cert using the SSH command line?
• I think I restarted after the above, in order to ensure no old cert was being referenced

Thanks.  I've opened a ticket with support and they are going to take a look.

Has there been any update on this since a ticket was opened?  I started receiving the same emails earlier this week from our UTM.  We are running 9.509-3 on SG210s.

Thanks in advance

https://sophos.com/kb/126962

I was able to generate a new cert.  Seemed to only happen on SG115's for me.

The certificate re-creation was never a problem, but the mail concerning about certificate expiring soon was sent further.
After the expiring date it stopped. Maybe they fixed it with some updates.

Me too I'm having the same "issue", the mail warning is annoying

BAlfson said:

This appears to be a design change, Miha, and it wasn't very well publicized.  If you're getting this message, you do need to go to the 'HTTPS CAs' tab of 'Filtering Options', [Regenerate], [Download] and then distribute to all users.  See section 5A/B of Configuring HTTP/S proxy access with AD SSO.

Cheers - Bob

 

Sorry for bringing up an old thread, but I'm getting mail from an SG115 and an SG230. The license for Web Protection was never purchased by this client, so there's no obvious way for me to see how to generate a new cert. Can these mails be safely ignored until such time as the certs expire and, I hope, the mails stop coming?

Cheers,

trane

Please let us know if the messages do stop.

I've sent you a PM with a way to regenerate the Proxy CA if the messages don't stop.

Cheers - Bob

Please let us know if the messages do stop.

I've sent you a PM with a way to regenerate the Proxy CA if the messages don't stop.

Cheers - Bob

Bob,

I'd also like to have instructions on handling this.

Our SG230 started sending this come 10 days ago. As usual, unfortunately, our service provider/distributer does not react on the info by the UTM, nor on my e-mail requests.

We're already looking for a new service provider, along with extending our modules. Currently we have gear from other producers still active, but wanted to replace that gear by all-Sophos and obviously just had back luck with the service provider, but have to stick to this one for some months coming.

/ rant.

(sorry, but not getting reactions from fully maintenanced (and paid up) services is frustrating)

Nothing coming from one of the firewalls should be treated lightly, or else why would I need security gear anyway?

I never received documentation. Can you please provide a link explaining what the proxy CA is, why it is expiring, confirm that this is probably harmless and instruct on how to stop the informations? From reading this thread, the problem is all but new and also it is obviously not limited to a current update.

thanks,

André

Hallo André and welcome to the UTM Community!

The Proxy CA is used for Web Filtering.  Without distributing it to all browsers, you will receive certificate warnings if you browse to an HTTPS web site.  You can see where to download or regenerate it on the 'HTTPS CAs' tab of 'Web Protection >> Filtering Options'.  If you aren't filtering HTTPS browsing, you can just regenerate and it will last another three years.  If you already have distributed it to your users, you will want to repeat that process.

You might want to read Configuring HTTP/S proxy access with AD SSO.  Although the article is aimed at Standard mode, 98% of it applies to Transparent mode, too.

My private message referred to above only had to do with a way to overcome the fact that he didn't have a Web Protection subscription.

Cheers - Bob

Thanks for the quick reply, Bob.

And sorry for not being clear enough from the beginning, but that's exactly my case as well. We do not have WebProtection as of yet.

Web protection so far is still done using a comparative solution on an inner firewall; so far we're only using the SG230 for protecting the outer DMZ by some minor packet filtering and to administrate the guest WLAN, which we have in the same zone as DMZ; switching more/all services to Sophos products is scheduled for this year.

So, I don't have web protection, but get the warnings about the certificate running out via administrative e-mail.

Thanks for further help in advance,

André

I'm in the same situation: since a few days these expiration warnings are coming in and we don't have Web protection license on the box.

I would appreciate getting the fix too.

Regards,

Koen

In cases where Web Protection was never licensed, these messages can be ignored. After the 30 days have run their course, the messages will stop coming.

Trane, how do you know that?  Did you open a Support case about this issue?

Cheers - Bob

Bob,

For me it was a simple matter of waiting and seeing. I had 2 boxes sending these mails starting on April 9. The last notification was received on May 7 and then glorious silence ensued. Operation of the boxes proceeded as normal. So, ultimately, regenerating these certs is only an issue for which the actual feature is being used, IMO.

Cheers,

trane

Super - great to know, Trane - Thanks!

Cheers - Bob