Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 48 replies
  • Subscribers 1 subscriber
  • Views 155400 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

unable to get local issuer certificate for a lot of sites after update to 9.310

TPok
Hi,

I did the update to 9.310 last weekend and now I am facing a "unable to get local issuer certificate" error for a lot of https sites. This could be relatet to the update or not. I am not sure but those sites were working a few days ago.

Some examples for non working sites:
https://www.ing-diba.de/ - Issuer: /C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 EV SSL CA - G3
https://www.amazon.de/ - Issuer: /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
https://www.adobe.com/ - Issuer: /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3

Some other sites like eBay are working so maybe thsi is related to the Issuning CA. As far as I can see those are present on the UTM.

Can anybody confirm there is an issue or not.
I will open a support case, too.

Thanks.


This thread was automatically locked due to age.
  • 0
    Hi Bob,

    same Problem with Bank Website "www.ing-diba.de" (Login).

    Best regards

    Argus

  • 0
    Is there a final solution in sight?
  • 0 in reply to PaTmaN93
    Is there a final solution in sight?


    As what I can see still not fixed with 9.312-05.

    Administrating:

    • 2x UTM Software HA-Clusters (Active-Passive), Enthusiast Home Lab
    • 1x UTM525 HA-Cluster (Active-Passive), Full Guard, 6x AP15, 2x AP30, 40x RED10, 1x RED50
    • 1x SG230, Full Guard, 6x AP10, 1x AP15
    • 1x UTM220, Full Guard, 16x AP10
    • 1x UTM220, Full Guard
  • 0
    Does anyone have a workaround for getting the Apple App Store and Spotify to work using "Decrypt and Scan" (both were working and recently died after this mess)?

    If I set the webfilter to "URL Filtering Only", both the App Store and Spotify work as intended.  However, enabling "Decrypt and Scan" kills both of them from accessing their respective "motherships" [:D]

    I have the UTM's CA installed on all the devices and the following 2 Certs installed on the UTM's Local:

    - Thawte Consulting cc Thawte Premium Server CA
    - VeriSign, Inc. Class 3 Public Primary Certification Authority

    Also, for reference:
    "rpm -qa | grep cadata" returns = u2d-cadata-9-63
    "cat /etc/version" returns = 9.310011

    Thanks,

    Ben
  • 0
    I hope a workaround is found but this is going to become a greater problem.  As more and more sites start detecting the MITM of proxies and break..which is what they are supposed to do.  https everywhere IMO is a cure searching for a problem as it is going to cause many ore headaches than it solves.

    Owner:  Emmanuel Technology Consulting

    http://etc-md.com

    Former Sophos SG(Astaro) advocate/researcher/Silver Partner

    PfSense w/Suricata, ntopng, 

    Other addons to follow

  • 0
    Hi Sophos Support!!!!
    So what is the solution?
    Argus
  • 0
    Hi Guys,

    Just wondering if there is a solution yet to this issue ? I'm getting the following even after upgrading to 9.312

  • 0
    The Issuer is VeriSign/Symantec in both cases.  Get the Root CA with the listed CN= from Licensing and Use of Root Certificates | Symantec and load as suggested by the KnowledgeBase article above.

    Cheers - Bob
    PS It seems like this could be a part of a pattern update, so I hope those of you with paid support are getting a case opened with Sophos Support.
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML