Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 10 replies
  • Answers 2 answers
  • Subscribers 28 subscribers
  • Views 15384 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

NET::ERR_CERT_AUTHORITY_INVALID

Scott Young

Sophos XG Firewall.

- Firmware version: SFOS 17.1.4 MR-4

- direct proxy in gateway mode

- Decrypt and Scan HTTPS option is disabled

- system application_classification microapp-discovery off

   - and clear the browser's cache.

- restart Tomcat service from XG advanced shell:

   - service tomcat:restart -dsnosync

As far as I can find, this issue was reported around a year ago or so.   I've tried all the above suggestions that I've found in the forums.   Still I get the Cert error when I enable the default web policy.

This issue was not present when I first built the firewall about 4 months ago, but did appear about one month ago.

Any other suggestions that I haven't found yet?

Thanks, Scott.



This thread was automatically locked due to age.
Parents
  • 0

    Hello Scott,

    Have a few follow-up questions on this issue. Could you please provide more information on this issue?

    1. Please share the screenshot of the issue ? Since you have restarted the Tomcat services which have no relation with the Web filter policy. We would like to determine if the certificate error was encountred while accessing the GUI or a website. 
    2. When you receive the certificate error page, what the certificate issued to you ?
    3. Could you please share with use the firewall rule you have configured for your systems? Please check the log viewer if there is any drop on IPS/Application filter.
    4. By default "system application_classification microapp-discovery" should be off unless turned on manually.
  • 0 in reply to Aditya Patel

    1. screen shots from Chrome & Edge:

    Same sort of error message - one from Chrome and one from MS Edge.   Both trying to get to https://play.google.com/music/listen 

    2. I don't get a certificate because the connection fails because of the HTTP Strict Security.   I tired Edge & Internet Explorer, same message about "Your PC doesn’t trust this website’s security certificate. "

    3. firewall rule:

    IPS/Application Filter logs have nothing.

  • 0 in reply to Scott Young

    Error message from Chrome:  (didn't post earlier)

Reply Children
  • +1 in reply to Scott Young

    Hi Scott,

    I have checked the configuration as per the policy and the URL is set to be blocked. The reason is the HTTPS connection was attempted and was blocked. The blocked message or captive portal was meant to be shown but your device does not recognize the certificate.  In my machine, I have already imported the certificate and was able to view the message without restriction. This applies to chrome and edge as they share the same certificate library. Firefox can be dealt with by importing the certificate manually.

    On the browser where you get the certificate error, if you click on advance you should receive the same page captive portal/blocked message. Please refer this KBA to import this certificate otherwise you can upload your own certificate used in web proxy and use that in your organization. In my case, I have used ADS to push the certificate through GPO.

  • 0 in reply to Aditya Patel

    Okay, so if I understand your answer correctly.   

    The base URL of https://play.google.com is being blocked because it's categorized as "Download Freeware & Shareware" and that 

    And I'm not seeing the proper Sophos denied message because I have not imported the Sophos SSL Cert into my PC?   

    Would that be correct?

     

    So, if I was to remove "Download Freeware & Shareware" from the User Activity Group, then the URL would pass and https://play.google.com would be allowed.

    AND I should also install the Sophos SSL Cert onto my PC(s) so that I get the proper error message and not something that leads me in a totally wrong direction.    The KBA link to importing the Sophos SSL Cert did not come through, could you supply that again please.

    Thanks,

    Scott.

  • 0 in reply to Scott Young

    Okay, so I've downloaded and installed the Sophos SSL Cert into Chrome and into my Windows Certificate repository.

    Now Chrome will actually allow me to get to https://play.google.com/music/listen with no issues (at least not yet)

    MS IE and MS Edge now both give the correct error message due to the policy blocking of "Download Shareware & Freeware".

    So the results are still confusing because Chrome allows the site and IE & Edge do not...

    But if I were remove "Download Freeware & Shareware" from the "Risky Downloads" user activity - then all the browsers should allow the site.   Would that be correct?

    Thanks for all your assistance.

    Scott.

  • 0 in reply to Scott Young

    Hi Scott,

    Yes, you are correct. Removing that category should allow the site to be accessed without warning.

    Also regarding Chrome allowing the site while IE & Edge do not - is probably related to the QUIC protocol. In your firewall rule, please enable the setting to "Block Google QUIC".

    Regards,

  • 0 in reply to FloSupport

    Great job on the support!   

    All issues have been resolved.   10 out of 10!

    Thanks, Scott.