This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Error when enabling Web Filtering

In Web Protection -> Web Filtering when I try to enable the Web Filtering status, the switch turns yellow, I add my local network as an allowed network and when I push Apply I get an error message saying "The HTTP/S proxy end-user certificate must not be empty."

I have no idea where to select that certificate and googling for that error message gave me zero results, so I hope someone here has a hint where to look.

I'm running version 9.351-3 in a Virtualbox VM, as this is just a machine for testing and getting to know the UTM9.

I even created a backup with the license, password, certificates/keys, endpoints removed. Then I reset the UTM to factory defaults, walked through the setup wizard and restored the backup.

Since there are no certificates in the backup, they should be created again by the initial setup, right?

Unfortunately this didn't change the behaviour, still getting the same error.


I had that working, but disabled Web Filtering because Blizzard Battle.net updates weren't working through the proxy. Now I wanted to look at that problem again and can't enable the proxy anymore. Otherwise it is working fine. Firewalling, ATP, IPS, SMTP & POP3 Proxies all enabled and working, but the Web-Proxy is giving me a hard time.


Any ideas where to look next, except reinstalling from scratch?

Thanks in advance,

Heiko



This thread was automatically locked due to age.
Parents
  • Hi Heiko,

    Did you mean you are not able to enable Web Filtering through the global option? Can you post the screenshot on the certificate error? 

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • Hello Sachin,


    that's exactly what I meant.

    As soon as I push Apply the error message shown next to the button appears.

    Doesn't matter if I use Standard or Transparent mode, results are the same.


    What baffles me is that I had it working when I first installed this VM.


    I only disabled it, because I had some problems with Battle.net updates not downloading when the proxy was active. I used the UTM without proxy for several weeks just fine. Then I found instructions on how to create an exception for Battle.net traffic and wanted to test that only to find out I couldn't enable the proxy anymore.

    I know this works even with the home license because several of my friends have it running and I have it working on the SG430 I administer at work as well.

    I will be installing another VM with a demo or home license to test this with a fresh installation, but it might be some time before I get around to doing that.

    Any hints to actually fixing the problem will be greatly appreciated, if you need more information like a config dump I can provide that as well.

    Heiko

  • Hi, Heiko, and welcome to the UTM Community!

    On the 'HTTPS CAs' tab in 'Web Protection >> Filtering Options', try regenerating the Signing CA.  Any luck with that?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • My memory is fuzzy but I don't think this is the signing Certificate Authority.


    I would look here:

    WebAdmin Setting, HTTPS Certificate, User Portal Certificate.

  • As I scanned down through the thread and came to my post, I realized my oops!  Seeing your post put a smile on my face - that's the only thing to try.  Still, I wonder if he doesn't have a faulty ISO image.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hello Bob,


    been there, done that.


    As I wrote on May 29th, I regenerated the CA, even tried deleting all certificates and the regenerating the CA. Did that again after a complete reinstallation (from the same ISO I installed the first time, which was 9.355) and again after the update to 9.4.

    Nothing helped, the error was always exactly the same :-(

  • Hello Michael,


    the problem is not with the user portal or the web admin interface.

    I can access both just fine.

    It's the web proxy that is causing the problem. But just to make sure, I changed that certificate as well. Didn't help.

  • Hello Bob,


    I don't think the ISO image is faulty because right after the first installation, it worked just fine.

    As I described in my first post, I had the proxy enabled, then disabled it because of some problems with Blizzard Battle.net downloads for which I didn't have a quick solution then.

    After I found that solution I wanted to reenable the proxy to configure the exception for Battle.net and that's when I got stuck with that damn error nobody seems to have heard of so far.

    I will install version 9.404-5 today and try again. If that does not help, I will install a completely new VM from a current ISO and do some more testing, but that will happen only after the Euro 2016 is over. Too many soccer games to watch and too little free time available :-)


    I'll let you guys know how it works out, but thanks in advance anyway for the suggestions.

    Regards,

    Heiko

  • I think the problem is the "Certificate for End User Pages" that is in the Misc tab.  Somehow I think you have the option on but no certificate.

    I don't know the location within cc (backend config) where this is stored and I don't have a system to test on.  Perhaps someone else knows or can trial turning it on and finding the location in cc.

  • You should match:

    cc get  http | grep portal
              'portal_cert' => '',
              'portal_cert_chain' => [],
              'portal_domain' => '',
              'portal_hosts' => [],
              'portal_use_cert' => 0,

    Use command like this to set the values

    cc set http portal_use_cert 0

Reply
  • You should match:

    cc get  http | grep portal
              'portal_cert' => '',
              'portal_cert_chain' => [],
              'portal_domain' => '',
              'portal_hosts' => [],
              'portal_use_cert' => 0,

    Use command like this to set the values

    cc set http portal_use_cert 0

Children
No Data