Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 6 replies
  • Answers 1 answer
  • Subscribers 2 subscribers
  • Views 18445 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

S/MIME: Upload of certificate failed

hagman_01
I am trying to upload a new external CA certificate under Email encrpytion - S/MIME CAs. The pure file upload itself seems to work ("Starting upload, please wait" rushes to 100%), but when I push the seconf "Upload button", I get an error message "Information: Import of certificate failed" and the CA does not appear in the list. What's wrong? (This has worked before, i.e. I do have some local CAs added in the past)


This thread was automatically locked due to age.
  • 0
    What do you see in the Configuration daemon log file when this occurs?

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0
    Ah, good to know which log to look at in the first place [:)]

    2014:02:11-16:34:56 firewall confd[27523]: W Message::err_set:1057() => id="3100" severity="warn" sys="System" sub="confd" name="NODE_OBJECT_BADREF (Liste der E-Mail-Verschlüsselungs-S/MIME-CAs benötigt E-Mail-Verschlüsselung-Objekte.)"  facility="webadmin" client="webadmin.plx" call="smime_import" goodclass="emailpki" nodelist="emailpki->objects->cas" check="input" badref="REF_EmaSmiB1BC968BD4F49D622AA89A81F2150152A41D829C" fatal="0"
    2014:02:11-16:34:56 firewall confd[27523]: W Message::err_set:1057() => id="3100" severity="warn" sys="System" sub="confd" name="DATATYPE_ARRAY_ELEMENT (1 ungültige Elemente 'REF_EmaSmiB1BC968BD4...' werden aus der Liste entfernt.)"  facility="webadmin" client="webadmin.plx" call="smime_import" remove="REF_EmaSmiB1BC968BD4..." number="1" nodelist="emailpki->objects->cas" check="input"

    Translated: NODE_OBJECT_BADREF (List of email encryption S/MIME CAs requires email encrpytion objects.)
    and: DATATYPE_ARRAY_ELEMENT (1 invalid element 'REF_EmaSmiB1BC968BD4...' is removed from the list.)"

    I am unsure what to make of that though ...

    EDIT: The best matching internet findings are these (unresolved) problems; http://www.astaro.org/gateway-products/network-protection-firewall-nat-qos-ips/43653-error-save-firewall-rule.html http://www.astaro.org/local-language-forums/german-forum/43625-firewall-rule-list-needs-paketfilter-objects.html
    I get the feeling like this actually means "database corrupt" in some way or other ...
  • 0
    It could be that the database is corrupted, but, first, try uploading a duplicate of t=one of the ones you successfully added in the past.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    It could be that the database is corrupted, but, first, try uploading a duplicate of t=one of the ones you successfully added in the past.

    Cheers - Bob


    As suggested, I tried to upload the same certificate (identity checked by fingerprint) that already appars among "Local S/MIME CAs". In the web interface, the same message (Import faield) appears, but the confd.log shows  
    OBJECT_NAMESPACE (Ein E-Mail-Verschlüsselung S/MIME-Zertifikat-Objekt namens 'E6E71506C0DBA2C5F083437E7986E5ACE4424294' gibt es bereits.)"
     (A mail s/MIME certificate object named 'E6E71506C0DBA2C5F083437E7986E5ACE4424294' already exists). This looks like expected behaviour to me.
  • 0
    Of course!  I forgot about that.  You're right that the original CA must be deleted first.  If that's not possible, how about trying the one you posted about in another UTM, or maybe one in a VM?

    Cheers - Bob

    Sorry for any short responses.  Posted from my iPhone.
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    I suppose I should come back to this thread.

    For today I encountered the same problem, googled it - and landed here!

    What I did now was to remove the previously uploaded CA-certs one by one, and that had the following effect:

    When deleting the first, I was presented a popup that repeated the error message quoted above from the confd.log, which I could accept with "OK" and the entry was deleted as rrequested. When deleting the other entries, there were also such popups, but with a harmless message ("... really delete?").

    Once I had the list empty, I started adding back what I still had available (and the new ones I wanted to add) and had no problems.

    Now I hope that another old problem of mine (third party user certs were not extracted from incoming mail) has been repaired by the same action. That ought to become visible in a day or two.

Unfiltered HTML