This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Web proxy reporting false certificate issues

This started this morning (5/30).

Example site

https://www.dslreports.com/

 

I'm not sure what has expired as the cert is good through the end of June.  Both utm and client pc date is accurate.  Thoughts?

 

Edit:  Here's the lines from the proxy log.

 

2020:05:30-12:11:31 utm httpproxy[6727]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="CONNECT" srcip="10.10.5.100" dstip="64.91.255.98" user="" group="" ad_domain="" statuscode="502" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="3883" request="0xd32d5800" url="https://www.dslreports.com/" referer="" error="Failed to verify server certificate" authtime="0" dnstime="2" aptptime="66" cattime="71" avscantime="0" fullreqtime="242853" device="0" auth="0" ua="" exceptions="patience" category="165" reputation="neutral" categoryname="Technical/Business Forums" country="United States"
2020:05:30-12:11:32 utm httpproxy[6727]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="CONNECT" srcip="10.10.5.100" dstip="64.91.255.98" user="" group="" ad_domain="" statuscode="502" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="3883" request="0xd4979c00" url="https://www.dslreports.com/" referer="" error="Failed to verify server certificate" authtime="0" dnstime="3" aptptime="67" cattime="68" avscantime="0" fullreqtime="243232" device="0" auth="0" ua="" exceptions="patience" category="165" reputation="neutral" categoryname="Technical/Business Forums" country="United States"

 

 

Edit2:

https://support.sectigo.com/articles/Knowledge/Sectigo-AddTrust-External-CA-Root-Expiring-May-30-2020

Looks like this is not a utm issue but rather poorly implemented certs?

 

Edit3:  Maybe this is a utm issue as it's not following the cert chain properly?



This thread was automatically locked due to age.
  • If i understand you correctly restarting http proxy didnt helped but restart whole UTM helped?

  • Simpler solution that worked for me.  Disable the cert in web protection, filtering options, HTTP CAs.  It was the 5th one down for me.  After disabling, restart the proxy either through command line (see above), or by disabling/enabling the web filtering on the main web filtering page. Change doesn't take effect unless proxy is restarted.

     

  • I owe you a beer [B], thanks

  • I don't know why it didn't occur to me to restart the proxy initially, after making the cert change.   Maybe I thought toggling the cert off would do a restart automatically¿?

    Glad it worked and I too can remove a bunch of exceptions from the list.  Maybe Sophos will issue an update soon that removes that cert entirely.

  • Hi!

    This workaround and/or the command lines do not work in my HA cluster environment.

    After restarting both nodes the certificate is still listed or listed again.

    Disabling the certificate and restarting the proxy has no effect, still getting "Untrusted Website".

    Any ideas???

  • Unfortunately I don't.  I'm not running an HA config, just a single utm in a home environment.  Also, when testing, make sure you're doing a hard refresh (ctrl-f5), otherwise it could be using cached data.

     

    Maybe try taking the slave off line and attempt the changes above.  It's been working properly for me since I disabled that cert.

     

    We really do need a proper solution from Sophos.

  • Hallo Don,

    Of course, for a paid license, the preference should be to get a case open with Sophos Support.

    What happens if you do the command line approach on both Slave and Master before you restart the proxy?

    To connect to the Slave,

    ha_utils ssh

    You will need to know both the loginuser and root passwords to login to the Slave.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Today Sophos has posted solution. Its same as mentioned in thread. I have also two sg330 in active/passive and disabling that cert and toggling web proxy switch was enough