Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 26 subscribers
  • Views 2317 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

TLS Error with SSL VPN, SFOS SFOS 18.0.1 MR-1-Build396 : certificate is not yet valid

Frank Rünagel

Hello,

we noticed strange TLS Errors after renewing the certificate authority:

We get the message "certificate is not yet valid".

(self-signed Standard certificate of the sophos),

What we had done: Recreated Certificate and Cert-Authority. Changed some contet (e.g. OU Name) in the default certificate.

Re-Downloaded and Re-Installed SSL VPN Client & Config, but this does not help.

 

...

Mon Aug 10 13:49:17 2020 OpenVPN 2.3.8 i686-w64-mingw32 [SSL (OpenSSL)]
[LZO] [IPv6] built on Jul  3 2017
Mon Aug 10 13:49:17 2020 library versions: OpenSSL 1.0.2l  25 May 2017,
LZO 2.09
Enter Management Password:
Mon Aug 10 13:49:17 2020 MANAGEMENT: TCP Socket listening on
[AF_INET]127.0.0.1:25340
Mon Aug 10 13:49:17 2020 Need hold release from management interface,
waiting...
Mon Aug 10 13:49:18 2020 MANAGEMENT: Client connected from
[AF_INET]127.0.0.1:25340
Mon Aug 10 13:49:18 2020 MANAGEMENT: CMD 'state on'
Mon Aug 10 13:49:18 2020 MANAGEMENT: CMD 'log all on'
Mon Aug 10 13:49:18 2020 MANAGEMENT: CMD 'hold off'
Mon Aug 10 13:49:18 2020 MANAGEMENT: CMD 'hold release'
Mon Aug 10 13:49:27 2020 MANAGEMENT: CMD 'username "Auth" "test"'
Mon Aug 10 13:49:27 2020 MANAGEMENT: CMD 'password [...]'
Mon Aug 10 13:49:27 2020 Socket Buffers: R=[65536->65536] S=[65536->65536]
Mon Aug 10 13:49:27 2020 Attempting to establish TCP connection with
[AF_INET]80.151.XXX.XXX:8443 [nonblock]
Mon Aug 10 13:49:27 2020 MANAGEMENT: >STATE:1597060167,TCP_CONNECT,,,,,,
Mon Aug 10 13:49:28 2020 TCP connection established with
[AF_INET]80.151.XXX.XXX:8443
Mon Aug 10 13:49:28 2020 TCPv4_CLIENT link local: [undef]
Mon Aug 10 13:49:28 2020 TCPv4_CLIENT link remote:
[AF_INET]80.151.XXX.xxx.8443
Mon Aug 10 13:49:28 2020 MANAGEMENT: >STATE:1597060168,WAIT,,,,,,
Mon Aug 10 13:49:28 2020 MANAGEMENT: >STATE:1597060168,AUTH,,,,,,
Mon Aug 10 13:49:28 2020 TLS: Initial packet from
[AF_INET]80.151.XXX.XXX:8443, sid=b7419ddf 2965c3a0
Mon Aug 10 13:49:28 2020 WARNING: this configuration may cache passwords
in memory -- use the auth-nocache option to prevent this
Mon Aug 10 13:49:29 2020 VERIFY ERROR: depth=1, error=certificate is not
yet valid: C=DE, ST=NA, L=XXXX, O=XXXXX GmbH, OU=OU,
CN=Sophos_CA_XXXX, emailAddress=info@XXXXX.info
Mon Aug 10 13:49:29 2020 TLS_ERROR: BIO read tls_read_plaintext error:
error:14090086:SSL routines:ssl3_get_server_certificate:certificate
verify failed
Mon Aug 10 13:49:29 2020 TLS Error: TLS object -> incoming plaintext
read error
Mon Aug 10 13:49:29 2020 TLS Error: TLS handshake failed
Mon Aug 10 13:49:29 2020 Fatal TLS error (check_tls_errors_co), restarting
Mon Aug 10 13:49:29 2020 SIGUSR1[soft,tls-error] received, process
.....

 

Why does the individual .exe installer produce such results? Shound never happen :-|

 

Any suggestions?

Regards

Frank Ruenagel

 

 

 

 

 

 



This thread was automatically locked due to age.
Parents
  • FormerMember
    0 FormerMember

    Hi  

    Thank you for reaching out to the Community! 

    As per the logs, it appears that you are facing an issue similar to the one described in the following KBA. Please check out the KBA for more info: Sophos XG Firewall: Certificate validation issues for the Sectigo root CA 

    Thanks,

  • 0 in reply to FormerMember

    Hi,

     

    thank you for replying. We already use the Appliance Certificate. We have updated to MR2, but there is no change.

    What we have done after Update to MR2:

    System time checked.

    Certificate Authority recreated

    Appliance Certificate recreated

    User-Client Certificate deleted in Sophos

    Client Software uninstalled and config-files manually deleted

    Client Software fresh downloaded

    Client Software & Config installed anew.

     

    => No effect, same error message in the log.

     

    Note: After update to MR2 AddTrust_External_Root is still valid to 2020-05-30.

    Note2: We habe other Sophos Machines running with SSL VPN and no problems (but older firmware)

     

    Regards

    Frank

     

     

     

     

     

  • FormerMember
    0 FormerMember in reply to Frank Rünagel

    Hi  

    Could you please check if /tmp partition is full on your firewall or not? 

    Run the following command from the Advanced Shell and provide the output: df -h

    Thanks,

  • 0 in reply to FormerMember

    Good Morning,

     

    here is the output:

    Disk space seems not to be the problem

    We tried to upload "HW-17.5.14_MR-14-1.SF300-714.gpg" via Web Interface to downgrade, but upload fails (multiple times, multiple browsers, also after factory reset ).

    Note: "AddTrust External Root has still expire date 2020-05-30":

    We suggest to reimage via USB/ISO to 17.5.14.

    Regards

    Frank

     

Reply
  • 0 in reply to FormerMember

    Good Morning,

     

    here is the output:

    Disk space seems not to be the problem

    We tried to upload "HW-17.5.14_MR-14-1.SF300-714.gpg" via Web Interface to downgrade, but upload fails (multiple times, multiple browsers, also after factory reset ).

    Note: "AddTrust External Root has still expire date 2020-05-30":

    We suggest to reimage via USB/ISO to 17.5.14.

    Regards

    Frank

     

Children
Cookie Information Banner