Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 48 replies
  • Subscribers 1 subscriber
  • Views 155372 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

unable to get local issuer certificate for a lot of sites after update to 9.310

TPok
Hi,

I did the update to 9.310 last weekend and now I am facing a "unable to get local issuer certificate" error for a lot of https sites. This could be relatet to the update or not. I am not sure but those sites were working a few days ago.

Some examples for non working sites:
https://www.ing-diba.de/ - Issuer: /C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 EV SSL CA - G3
https://www.amazon.de/ - Issuer: /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
https://www.adobe.com/ - Issuer: /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3

Some other sites like eBay are working so maybe thsi is related to the Issuning CA. As far as I can see those are present on the UTM.

Can anybody confirm there is an issue or not.
I will open a support case, too.

Thanks.


This thread was automatically locked due to age.
Parents
  • 0
    load up support with tickets...

    Owner:  Emmanuel Technology Consulting

    http://etc-md.com

    Former Sophos SG(Astaro) advocate/researcher/Silver Partner

    PfSense w/Suricata, ntopng, 

    Other addons to follow

  • 0 in reply to William Warren
    The problem seems to be in the new certdata.ph file.  In the old version, the Verisign Class 3 Public Primary Certification Authority is trusted for codeSigning, emailProtection and serverAuth.  Now it is only trusted for emailProtection.  Here is the diff (I removed the indentation to make it readable): 

    @@ -300,27 +322,12 @@

      'serial' => '70BAE41D10D92934B638CA7B03CCBABF',

      'subject' => 'C=US, O=VeriSign\, Inc., OU=Class 3 Public Primary Certification Authority',

      'trust' => [

    -              'codeSigning',

    -              'emailProtection',

    -              'serverAuth'

    +      'emailProtection'

                 ],

      'file' => 'Verisign_Class_3_Public_Primary_Certification_Authority.pem',

      'startdate' => 'Jan 29 00:00:00 1996 GMT',

      'fingerprint' => '74:2C:31:92:E6:07:E4:24:EB:45:49:54:2B:E1:BB:C5:3E:61:74:E2'
  • 0 in reply to Ákos Szalkai
    I inserted the missing serverAuth lines into 
    /var/confd/res/ca/certdata.ph
     (there are a few Verisign certs where it was removed), ran 
    /usr/local/bin/confd-client.plx trigger global_cas
     restarted httpproxy and everything started working again. [:)]

    So I'm going to open a support ticket with this solution included.
Reply
  • 0 in reply to Ákos Szalkai
    I inserted the missing serverAuth lines into 
    /var/confd/res/ca/certdata.ph
     (there are a few Verisign certs where it was removed), ran 
    /usr/local/bin/confd-client.plx trigger global_cas
     restarted httpproxy and everything started working again. [:)]

    So I'm going to open a support ticket with this solution included.
Children
No Data
Unfiltered HTML