This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

p12 import with chain intermediates, causes error and failure of WAF based inbound Business Policy.

Digging through my issues with an inbound Business Application Policy of type HTTP I ran across the following.

My issue with WAF resulting in the ssl session being torn down from the clients perspective, showed the following in the log file reverseproxy.log anytime a connection is made:

AH00526: Syntax error on line 14 of /cfs/waf/reverseproxy.conf:
SSLCACertificateFile: file '/conf/certificate/cacerts/STS-SIMD-TODAY-EXP2016_CA_56416D12.pem' does not exist or is empty

The cert I imported was a p12 file that included the client cert as well as the intermediate certs. (StartCom authority)

The resulting imported directory in /conf/certificate/cacerts/STS-SIMD-TODAY-EXP2016_CA_56416D12.pem/ included two files, not one:

-rwxr-xr-x 1 2090 Nov 14 12:56 STS-EXP2016_CA_564783AE.pem1.pem
-rwxr-xr-x 1 2760 Nov 14 12:56 STS-EXP2016_CA_564783AE.pem2.pem

The config file it mentions, /cfs/waf/reverseproxy.conf, shows the cert specified as being /conf/certificate/cacerts/STS-SIMD-TODAY-EXP2016_CA_56416D12.pem.

This got me thinking that the import process for a cert does not handle the resulting state properly when the import included the intermediates.

So I converted my p12 to a PEM with nokeys or any certs other than the client cert, as well as a KEY with no certs at all.

I then imported these to the XG and then manually imported the cert chain (root an intermediate).

After applying this new cert to the Business Application Rule, the connections inbound were allowed to complete successfully and no errors were reported.

For anyone who needs the openssl commands to do the same process here they are:

Create the cert PEM with no intermediates or private key:
- openssl pkcs12 -nokeys -clcerts -in "certfile.p12" -out "outputfile.pem"
Create the private key file with no certs:
- openssl pkcs12 -nocerts -in "certfile.p12" -out "outputfile.key"

As for the intermediate, I had it available already, but you can use this command to export them and then break it apart.

openssl pkcs12 -nokeys -cacerts -in "certfile.p12" -out "outchain.cer"

Hopefully this will help anyone else stuck with WAF not working properly. As an FYI, this same cert p12 did import and work properly in UTM9 as part of the web server protection section.

This thread was automatically locked due to age.

Parents

0 ChaseHansen over 9 years ago

Confirmed having the same issue when trying to use WAF. Just like you, this worked fine on UTM.

how did you manually import the cert chain?
Cancel
Vote Up 0 Vote Down

Cancel
0 ChaseHansen over 9 years ago in reply to ChaseHansen

Steps I took-
Deleted the pem1.pem and pem2.pem files
Deleted the directory it created
Created a new file with the directory name and put both the certs into that one file.

Everything started working then

As a Sophos XG Home user, do we have a way of logging a bug with them?
Cancel
Vote Up 0 Vote Down

Cancel
0 JonathanH over 9 years ago in reply to ChaseHansen

I see you got it. I had imported the chain through the certificate authority menu. I had the root and intermediate in cer files by themselves and imported both.
Cancel
Vote Up 0 Vote Down

Cancel
0 ChaseHansen over 9 years ago in reply to JonathanH

ah okay, tried that method first but gave me an error that they already existed.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 ChaseHansen over 9 years ago in reply to JonathanH

ah okay, tried that method first but gave me an error that they already existed.
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data