Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 7 replies
  • Subscribers 30 subscribers
  • Views 1214 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SEC_ERROR_EXPIRED_CERTIFICATE for web proxied sites

Tim M

Hello, I am a home user of the Sophos XG firewall - SFVH (SFOS 19.0.0 GA-Build317) - and use it to proxy specific sites... one of those things I proxy is google and youtube. Recently, it seems that the certificates that my appliance creates have expired and are not being renewed. For example, if I attempt to navigate to youtube.com, I receive the following error in Firefox:

Looking at the cert it's trying to use, it actually is expired:

My Sophos SSL CA_ certiifcate is valid until 2036 and I thought that this other certificate would automatically be generated/renewed, since it's managed by the Sophos XG appliance ( I thought).

If I disable SSL inspection, youtube loads just fine with a Google issued certificate. It's only when I turn back on the web proxy for this that the error is shown.


How can resolve this? I've ensured the time is corect, restarted the system and services, but it keeps trying to use the expired certificate. I don't see this certificate in the appliance, either, under "certificates".

Thank you!



Edited TAGs
[edited by: Erick Jan at 6:10 AM (GMT -8) on 15 Nov 2022]
Parents
  • 0

     Hello ,

    Thank you for reaching out to the community, are you facing this with all the sites or few selected sites ?
    From the advance shell can you share the output of the following command:
    > ls -larth /var/certcache/ | grep youtube.com

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Global Support & Services 


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Vivek Jagad

    Hi !

    It does not appear to be affecting all sites I proxy (I don't proxy everything - just things from certain categories). For example, craiglist is proxied and the cert if provides from the firewall is valid until February. From what I can tell, it's affecting just google related sites at this time. I'll keep looking to see if I can find any others it affects, though. [edit: looks like it happens to bing.com too, with nearly the identical expiration date (Mon, 11 Jul 2022 14:19:20 GMT).]

    Also, here's the output from the command:

    Thanks!!

  • +1 in reply to Tim M

    Hi,

    if you haven't configured the proxy in your firewall rules then you are using the DPI which scans all traffic. Try changing your certificate to the XG default.

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

Reply
  • +1 in reply to Tim M

    Hi,

    if you haven't configured the proxy in your firewall rules then you are using the DPI which scans all traffic. Try changing your certificate to the XG default.

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

Children
  • 0 in reply to rfcat_vk

    Hi ,

    I am using both DPI and web proxy. DPI for everything except for app enforcement domains... which are set to use the proxy.

    As suggested, I did change the cert being used for the SSL settings from "SecurityAppliance_SSL_CA (RSA)" to"Default (RSA)", and that seems to have given me a new cert for those domains with a 2024 expiration! But, since my browser doesn't trust the cert issuer, I'm getting an " SEC_ERROR_UNKNOWN_ISSUER". I toggled the certificates back to the origincal one "SecurityAppliance_SSL_CA (RSA)" and that seems to have jiggered whatever was stuck and now things are working again!

    And here too:

  • 0 in reply to Tim M

    So, to be clear... toggling this from "SecurityAppliance_SSL_CA" to "Default" and back to "SecurityAppliance_SSL_CA" again seems to have solved the problem. Bing and Youtube are now loading with new, non-expired certificates.

Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Unfiltered HTML