Guest User!

You are not Sophos Staff.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL certificate is not selectable for admin console and end-user interaction

Hi all,

I do have a problem installing/using a signed ssl cert for securing http access to the admin panel and user interface.

What I did:

  • I created a csr in Sophos XG (18.0.5)
  • I used the csr to order an offically signed ssl cert
  • after verification via dns I got the certs
  • I upload the intermediate and root cert
  • I then uploaded the hosts cert
    • via .pem
    • no passphrase
    • no key file

The cert-file is shown with a green hook.

I double check the certs signing path (->intermediate and root cert) they do exist and are valid. So there is valid key chain.

However the hosts cert is not selectable to be used for ssl encryption for the admin interface. The dropdown just won't show the certificate. (Same with VPN settings.)

Is there any way how to check, what is wrong and why the cert is not showing up?

Thanks a lot in advance.

Regards

 Chris



This thread was automatically locked due to age.
Parents
  • This is the log output, when I upload the cert:

    SFVH_SO01_SFOS 18.0.5 MR-5-Build586# tail -f /log/*.log | grep -i certificate
    Jul 02 17:22:55 upload_certificate called
    Jul 02 17:22:55 getting certificate cert_FastSSL_2021_3y id and value
    2021-07-02 17:22:56 26[CFG] rereading ca certificates from '/_conf/ipsec/ipsec.d/cacerts'
    [Fri Jul 02 17:20:59.072223 2021] [ssl:warn] [pid 9734:tid 4150517824] AH01909: manage.cyberoam:65004:0 server certificate does NOT include an ID which matches the server name
    [Fri Jul 02 17:20:59.144865 2021] [ssl:warn] [pid 9734:tid 4150517824] AH01909: manage.cyberoam:65003:0 server certificate does NOT include an ID which matches the server name
    [Fri Jul 02 17:22:57.072711 2021] [ssl:warn] [pid 9734:tid 4150517824] AH01909: manage.cyberoam:65004:0 server certificate does NOT include an ID which matches the server name
    [Fri Jul 02 17:22:57.144829 2021] [ssl:warn] [pid 9734:tid 4150517824] AH01909: manage.cyberoam:65003:0 server certificate does NOT include an ID which matches the server name
    2018-10-27 18:18:25 INFO Prune.pm[15014]:28 SFOS::HBtrust::Prune::prune - /conf/sysfiles/heartbeatd/certificate_store.db has been removed
    2018-10-27 18:18:25 ERROR CertificateHandler.cpp[6318]:81 updateFingerprints - Can't open database: unable to open database file
    WARNING: Skipping expired Certificate Sigen_CA.pem
    WARNING: Skipping duplicate certificate AAACertificateServices.pem
    WARNING: Skipping expired Certificate Thawte_Timestamping_CA.pem
    WARNING: Skipping expired Certificate Sigov_CA.pem
    WARNING: Skipping expired Certificate Netrust_CA1.pem
    WARNING: Skipping expired Certificate Microsoft_Root_Certificate_Authority.pem
    WARNING: Skipping expired Certificate Sonera_Class_2_Root_CA.pem
    WARNING: Skipping expired Certificate Comodo Add Trust External CA Root.pem
    WARNING: Skipping expired Certificate QuoVadis_Root_CA.pem
              'client_key_file' => '/conf/certificate/private/cbaum%40int.chrolya.de_15FE62071E2.key',
              'client_cert_file' => '/conf/certificate/cbaum%40int.chrolya.de_15FE62071E2.pem',
    2021-07-02 17:22:56 26[CFG] rereading ca certificates from '/_conf/ipsec/ipsec.d/cacerts'
    2021-07-02 16:22:55,360:INFO:CSC - Keys in json: ["hextimestamp", "___serverport", "certformat", "certfile", "___component", "type", "transactionid", "certop", "uploadcertname", "currentlyloggedinuserid", "___serverprotocol", "certificatename", "isdefault", "___username", "___meta", "___serverip", "currentlyloggedinuserip"]
    ********** Entity json validation log End FOR :2-7-2021  17:22:55 Objectname=system::certificate
    ==> /log/vpncertificate.log <==
    CA id for ApplianceCertificate.pem is :1
    caid for certificate Test is :27
    caid for certificate cerberus_FastSSL_2021_3y is :27
    caid for certificate cerberus_FastSSL_2021_3y is :27
    caid for certificate cerberus_FastSSL_2021_3y is :27
    caid for certificate cert_FastSSL_2021_3y is :27
    caid for certificate cert_FastSSL_2021_3y is :27
    

Reply
  • This is the log output, when I upload the cert:

    SFVH_SO01_SFOS 18.0.5 MR-5-Build586# tail -f /log/*.log | grep -i certificate
    Jul 02 17:22:55 upload_certificate called
    Jul 02 17:22:55 getting certificate cert_FastSSL_2021_3y id and value
    2021-07-02 17:22:56 26[CFG] rereading ca certificates from '/_conf/ipsec/ipsec.d/cacerts'
    [Fri Jul 02 17:20:59.072223 2021] [ssl:warn] [pid 9734:tid 4150517824] AH01909: manage.cyberoam:65004:0 server certificate does NOT include an ID which matches the server name
    [Fri Jul 02 17:20:59.144865 2021] [ssl:warn] [pid 9734:tid 4150517824] AH01909: manage.cyberoam:65003:0 server certificate does NOT include an ID which matches the server name
    [Fri Jul 02 17:22:57.072711 2021] [ssl:warn] [pid 9734:tid 4150517824] AH01909: manage.cyberoam:65004:0 server certificate does NOT include an ID which matches the server name
    [Fri Jul 02 17:22:57.144829 2021] [ssl:warn] [pid 9734:tid 4150517824] AH01909: manage.cyberoam:65003:0 server certificate does NOT include an ID which matches the server name
    2018-10-27 18:18:25 INFO Prune.pm[15014]:28 SFOS::HBtrust::Prune::prune - /conf/sysfiles/heartbeatd/certificate_store.db has been removed
    2018-10-27 18:18:25 ERROR CertificateHandler.cpp[6318]:81 updateFingerprints - Can't open database: unable to open database file
    WARNING: Skipping expired Certificate Sigen_CA.pem
    WARNING: Skipping duplicate certificate AAACertificateServices.pem
    WARNING: Skipping expired Certificate Thawte_Timestamping_CA.pem
    WARNING: Skipping expired Certificate Sigov_CA.pem
    WARNING: Skipping expired Certificate Netrust_CA1.pem
    WARNING: Skipping expired Certificate Microsoft_Root_Certificate_Authority.pem
    WARNING: Skipping expired Certificate Sonera_Class_2_Root_CA.pem
    WARNING: Skipping expired Certificate Comodo Add Trust External CA Root.pem
    WARNING: Skipping expired Certificate QuoVadis_Root_CA.pem
              'client_key_file' => '/conf/certificate/private/cbaum%40int.chrolya.de_15FE62071E2.key',
              'client_cert_file' => '/conf/certificate/cbaum%40int.chrolya.de_15FE62071E2.pem',
    2021-07-02 17:22:56 26[CFG] rereading ca certificates from '/_conf/ipsec/ipsec.d/cacerts'
    2021-07-02 16:22:55,360:INFO:CSC - Keys in json: ["hextimestamp", "___serverport", "certformat", "certfile", "___component", "type", "transactionid", "certop", "uploadcertname", "currentlyloggedinuserid", "___serverprotocol", "certificatename", "isdefault", "___username", "___meta", "___serverip", "currentlyloggedinuserip"]
    ********** Entity json validation log End FOR :2-7-2021  17:22:55 Objectname=system::certificate
    ==> /log/vpncertificate.log <==
    CA id for ApplianceCertificate.pem is :1
    caid for certificate Test is :27
    caid for certificate cerberus_FastSSL_2021_3y is :27
    caid for certificate cerberus_FastSSL_2021_3y is :27
    caid for certificate cerberus_FastSSL_2021_3y is :27
    caid for certificate cert_FastSSL_2021_3y is :27
    caid for certificate cert_FastSSL_2021_3y is :27
    

Children