Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 27 subscribers
  • Views 666 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to fix error: "Following domain(s) will not be covered by selected HTTPS certificate."

Paul McGinnie

I am trying to get my ActiveSync setup to work across my Sophos XG 18.5.3 MR-3 install.

I follow the recipe found at https://support.sophos.com/support/s/article/KB-000040209?language=en_US

When I try to save the firewall rule mentioned towards the bottom of the article I get an error:

"Following domain(s) will not be covered by selected HTTPS certificate 'My Mail Cert':

1. mail.mcginnie.plus.com"

This would seem to defeat the entire point of the access rule. So I tried creating another certificate using a CSR with some extra SANs, but get the same sort of result - the error denies that the addresses I want encrypted will work properly.

I can see there is one reference to this sort of error here (https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/129866/automated-certificate-renewals-with-waf-and-cloudflare) where this error is suggested to be ignored.

My setup isn't working - is that because of this error or the recipe is incomplete?

Regards,

    Paul McGinnie



This thread was automatically locked due to age.
  • 0

    Hi Paul,

    Thank you for your query, are you using a wild card cert here? OR you have a cert of mail.mcginnie.plus.com for https://mail.mcginnie.plus.com ?
    I think you would need a a certificate with SAN of mail.mcginnie.plus.com to for https://mail.mcginnie.plus.com

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Global Support & Services 


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Vivek Jagad

    The CN=mail.mcginnie.plus.com and Subject Alternative name list has both autodiscover.mcginnie.plus.com and mail.mcginnie.plus.com present (and others). I do not use wildcards - just a list of explicit SANs.

    Having loaded this cert in response to a CSR, and selecting it in the relevant dropdown in the firewall rule specification, then the "Domains" field prepopulated with "mail.mcginnie.plus.com".

    A strange observation is that if I select the Certificate I use for the internal web interface (for which I have a  long list of SANs as possible aliases) then I get a long list of "Domains"

    Regards,

         Paul McGinnie

  • 0

    This rule now works as it should but still gives the error - the prior failure was due to my error in using a FQDN.
    So the recipe works, but tells you that it won't - so just an front end problem it appears!

    This combined with the the prepopulation of the domains field with multiple SANs in some circustance, but not others means that there are features here that are not being explained or documented correctly.

    Regards,

    Paul

Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?