Thread Info
  • State Suggested Answer
  • +4 person also asked this people also asked this
  • Locked Locked
  • Replies 18 replies
  • Answers 3 answers
  • Subscribers 11 subscribers
  • Views 6954 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Web proxy reporting false certificate issues

Jay Jay

This started this morning (5/30).

Example site

https://www.dslreports.com/

 

I'm not sure what has expired as the cert is good through the end of June.  Both utm and client pc date is accurate.  Thoughts?

 

Edit:  Here's the lines from the proxy log.

 

2020:05:30-12:11:31 utm httpproxy[6727]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="CONNECT" srcip="10.10.5.100" dstip="64.91.255.98" user="" group="" ad_domain="" statuscode="502" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="3883" request="0xd32d5800" url="https://www.dslreports.com/" referer="" error="Failed to verify server certificate" authtime="0" dnstime="2" aptptime="66" cattime="71" avscantime="0" fullreqtime="242853" device="0" auth="0" ua="" exceptions="patience" category="165" reputation="neutral" categoryname="Technical/Business Forums" country="United States"
2020:05:30-12:11:32 utm httpproxy[6727]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="CONNECT" srcip="10.10.5.100" dstip="64.91.255.98" user="" group="" ad_domain="" statuscode="502" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="3883" request="0xd4979c00" url="https://www.dslreports.com/" referer="" error="Failed to verify server certificate" authtime="0" dnstime="3" aptptime="67" cattime="68" avscantime="0" fullreqtime="243232" device="0" auth="0" ua="" exceptions="patience" category="165" reputation="neutral" categoryname="Technical/Business Forums" country="United States"

 

 

Edit2:

https://support.sectigo.com/articles/Knowledge/Sectigo-AddTrust-External-CA-Root-Expiring-May-30-2020

Looks like this is not a utm issue but rather poorly implemented certs?

 

Edit3:  Maybe this is a utm issue as it's not following the cert chain properly?



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to Borut Zidaric

    Hi,

    I am sorry my UTM knowledge s very rusty and I do not have a working UTM at the moment.

    You will need to hope BAlfson come along and looks at your request.

    Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Borut Zidaric

    Login to UTM via SSH as loginuser. Then su to root.

    cd /etc/ssl/certs

    mkdir ../badcerts

    sophos01:/etc/ssl/certs # ls -l | grep AddTrust_E
    lrwxrwxrwx 1 root root 26 Jan 21 01:31 157753a5.0 -> AddTrust_External_Root.pem
    lrwxrwxrwx 1 root root 26 Jan 21 01:31 3c58f906.0 -> AddTrust_External_Root.pem
    -rw-r--r-- 1 root root 1574 Jan 21 01:31 AddTrust_External_Root.pem
    sophos01:/etc/ssl/certs # mv 157753a5.0 3c58f906.0 AddTrust_External_Root.pem ../badcerts

     

    sophos01:/etc/ssl/certs # /var/mdw/scripts/httpproxy restart
    :: Restarting httpproxy
    :: Stopping httpproxy done
    :: Starting httpproxy done
    sophos01:/etc/ssl/certs #

  • 0 in reply to VladRud

    i am not very familiar with terminal. Probably it cant be done in webadmin?

     

    didnt helped:

     

    sophos01:/etc/ssl/certs # mkdir ../badcerts
    sophos01:/etc/ssl/certs # ls -l | grep AddTrust_E
    lrwxrwxrwx 1 root root 26 Jan 21 07:31 157753a5.0 -> AddTrust_External_Root.pem
    lrwxrwxrwx 1 root root 26 Jan 21 07:31 3c58f906.0 -> AddTrust_External_Root.pem
    -rw-r--r-- 1 root root 1574 Jan 21 07:31 AddTrust_External_Root.pem
    sophos01:/etc/ssl/certs # mv 157753a5.0 3c58f906.0 AddTrust_External_Root.pem ../badcerts
    sophos01:/etc/ssl/certs # /var/mdw/scripts/httpproxy restart
    :: Restarting httpproxy
    :: Stopping httpproxy done
    :: Starting httpproxy done

     

  • 0 in reply to Borut Zidaric

    This is an issue we are also experiencing.

    UTM 9.702-1 with Web Filtering in Standard/Decrypt and Scan Mode.

  • 0 in reply to VladRud

    I just tried VladRud's solution of moving the AddTrust_External_Root cert and its links to the /etc/ssl/badcerts directory. Rather than just restarting the httpproxy daemon, I rebooted. Initially thought that this solved the problem, but then I realized that I had tested with a site I had already added an exception to... (insert sounds associated with a public admission of stupidity). I have verified that the AddTrust_External_Root cert did not magically reappear in the /etc/ssl/certs directory after the reboot. After removing the exception and retesting, this does not solve the problem with the expired cert.

    --Larry

  • 0 in reply to Fahnoe

    If i understand you correctly restarting http proxy didnt helped but restart whole UTM helped?

  • +2 in reply to Borut Zidaric

    Simpler solution that worked for me.  Disable the cert in web protection, filtering options, HTTP CAs.  It was the 5th one down for me.  After disabling, restart the proxy either through command line (see above), or by disabling/enabling the web filtering on the main web filtering page. Change doesn't take effect unless proxy is restarted.

     

  • 0 in reply to Jay Jay

    I owe you a beer [B], thanks

  • 0 in reply to Borut Zidaric

    I don't know why it didn't occur to me to restart the proxy initially, after making the cert change.   Maybe I thought toggling the cert off would do a restart automatically¿?

    Glad it worked and I too can remove a bunch of exceptions from the list.  Maybe Sophos will issue an update soon that removes that cert entirely.

  • 0 in reply to Jay Jay

    Hi!

    This workaround and/or the command lines do not work in my HA cluster environment.

    After restarting both nodes the certificate is still listed or listed again.

    Disabling the certificate and restarting the proxy has no effect, still getting "Untrusted Website".

    Any ideas???

Unfiltered HTML