Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 2 answers
  • Subscribers 28 subscribers
  • Views 11894 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL error: unable to get local issuer certificate

marseilia beach

I got that error while browsing some website although sites is not blocked by web filter category

please help !!

product edition SW-SFOS_17.0.3_MR-3-131

Stop! 
This website is a security risk

Access to this website has been blocked because the website cannot prove its identity.

 
Reason for blocking this site
The issuer of this website's certificate could not be verified. This could mean that the website is not configured correctly.
      • Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4
  • SSL error: unable to get local issuer certificate


This thread was automatically locked due to age.
Parents
  • 0

    Hi,

    Check the Web Filter logs in Log Viewer, do you see that Sophos is blocking the website? I suspect that error message is pushed by Sophos XG, it might be a block implemented by ISP. 

    In case, if the block is through the XG then you will find some information in the Log Viewer logs lines or capture drop-packet-capture for the source IP and show us the results.

    Thanks

  • 0 in reply to sachingurung

    Hi,

    This is my first post on this forum, and hope I don't irritate some gurus out there with my basic Network knowledge...

    I have been searching the web for an answer for a similar issue as this one, if not exact same issue and decided to post my question here.  I'd like to add some more info to the XG behavior.

    My basic setting are as follows:

    installed the appliances certificate on my PC and created a basic rule to inspect https. when I browse certain sites (hand full) I get a similar error. The only way I can bypass the blockage is to add the site into exceptions. I have looked at the Logs which I have searched allover and could not find an answer, perhaps my searching skills are also novice... the log that I was able to pick up is as follows:

     

    messageid="01001" log_type="Firewall" log_component="Invalid Traffic" log_subtype="Denied" status="Deny" con_duration="0" fw_rule_id="12" policy_type="2" user="someone@mydomain.local" user_group="somegroup" web_policy_id="4" ips_policy_id="2" appfilter_policy_id="7" app_name="" app_risk="0" app_technology="" app_category="" in_interface="" out_interface="" src_mac="" src_ip="mypublicIP" src_country="" dst_ip="105.16.115.2" dst_country="" protocol="TCP" src_port="47692" dst_port="443" packets_sent="0" packets_received="0" bytes_sent="0" bytes_received="0" src_trans_ip="" src_trans_port="0" dst_trans_ip="" dst_trans_port="0" src_zone_type="" src_zone="" dst_zone_type="" dst_zone="" con_direction="" con_id="" virt_con_id="" hb_status="No Heartbeat" message="Invalid TCP RST." appresolvedby="Signature" app_is_cloud="0"

     

    Thank you for taking the time to read this post.

  • 0 in reply to Apollo

    Seems like the website, you try to reach, uses certificate pinning. In this case, you have to maintain a exception for HTTPs. 

    https://community.sophos.com/kb/en-us/132997

Reply Children
  • 0 in reply to LuCar Toni

    Thank you LuCar Toni!

     

    Many thanks for the swift reply, just a small little question I may. Could I impose and ask you to elaborate the meaning of "certificate pinning"?

     

    Thanks again for the advice and the useful link, I will definitely read through it.

     

    BR