Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 7 replies
  • Answers 1 answer
  • Subscribers 30 subscribers
  • Views 3098 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG Firewall CAA "Could not validate certificate! CAA will now close" error on Win 10 client

Paul Norris1

I went away over the weekend and on login on Monday I now get the following error and the CAA exits, nothing should have changed from when it was last working on Friday. Error:

"Could not validate certificate! CAA will now close error"

XG Firewall Version: SFOS 19.0.0 GA-Build317

Client: Window 10 running Client Authentication Agent v2.0.1


What I've tried:

  1. Regenerated the certificates on firewall, the Default and the appliance ones,
  2. Uninstalled the client and reinstalled with fresh download from the user client portal (both MSI and manual cert install version and the .exe).

Nothing seems to be fixing it. It was working fine before.

Any ideas?



This thread was automatically locked due to age.
Parents
  • +1

    Hello ,

    Thank you for reaching out to the community, based on the reported issue as it was working fine previously, it seems XG is sending the CA certificate with the future date stored under “/conf/certificate/internalcas/ClientAuthentication_CA.der” 

    Resolution:

    1) Need to rollback to previous version where CAA agent is working fine.

    2) Make sure that time is correctly set on the appliance in that firmware version.

    3) Upgrade the firmware.

    Sophos Firewall OS v19 MR1 is Now Available: https://community.sophos.com/sophos-xg-firewall/b/blog/posts/sophos-firewall-v19-mr1-is-now-available

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Global Support & Services 


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Vivek Jagad

    Hello,

    we have the same problem and the time on firewall and client is correct.

    The installation with the firmware v19-mr0 runs since the 1st of july 2022 without the certificate error.

    When I try to access the firewall with port 9922 then I get a certifcate valid until Tue, 09 Aug 2022 10:10:03 GMT.

    The sophos support do not find the certificate on the firewall GUI.

    How can I renew this certificate?

    Is the only solution to upgrade to v19-MR1?

    That is not a good solution.

    Thanks & Regards

    Bernd Klusemann

  • 0 in reply to Uli Schrupp

    Hi Uli Schrupp 

    To Regenerate certificate authority follow the below steps 

    1. Go to Certificates > Certificate authorities.
    2. To regenerate the default certificate, go to the Manage column and click   .
      Note : When you update the default CA, it is automatically regenerated
      If you are using HTTPS scanning this will impact and give you certificate error to resolve  re install Sophos SSL CA again on end system/s as per the below link : 

    Verify that all the details are filled in the "Default" certificate authority in System | Certificate | Certificate Authority | Default? Fill up the details and re-download the client for a fresh installation.

    The latest firmware is available for upgrade : https://community.sophos.com/sophos-xg-firewall/b/blog/posts/sophos-firewall-v19-mr1-re_2d00_release-build-365-is-now-available 

    Thanks and Regards

    "Sophos Partner: Infrassist Technologies Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Bharat J

    We too all of a sudden started having could not validate certificate errors with our CAA. I updated to verison 19.0.0 GA-Build317 back in April and didn't have any issues until today. I verified the time on our AD server, our client PCs, and XG firewall and all was correct. I then regenerated the certificates, uninstalled CAA, re-imported certificate, and re-installed CAA all with no luck. I was about to update to latest firmware when I decided to just reboot the XG firewall. After reboot of XG firewall, CAA started working. Maybe all I had to do was reboot our XG firewall? Just wanted to share and  hopefully save someone out there a little time.

Reply
  • 0 in reply to Bharat J

    We too all of a sudden started having could not validate certificate errors with our CAA. I updated to verison 19.0.0 GA-Build317 back in April and didn't have any issues until today. I verified the time on our AD server, our client PCs, and XG firewall and all was correct. I then regenerated the certificates, uninstalled CAA, re-imported certificate, and re-installed CAA all with no luck. I was about to update to latest firmware when I decided to just reboot the XG firewall. After reboot of XG firewall, CAA started working. Maybe all I had to do was reboot our XG firewall? Just wanted to share and  hopefully save someone out there a little time.

Children
Unfiltered HTML