Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 6 replies
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 1197 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Cannot delete certificate - "Couldn't delete certificate. It's in use in an IPsec, L2TP, or SSL VPN connection."

EdmundSackbauer

I am on 19.0.MR1

I have an uploaded certificate which is no longer needed. It was used in WAF rules, those were deleted a couple of weeks ago.

However I cannot delete the certificate, I get the red box at the top with "Couldn't delete certificate. It's in use in an IPsec, L2TP, or SSL VPN connection."

I checked SSLVPN settings, there is a different certificate activated. Nevertheless I changed it to something else and back, still couldnt delete the unused cert.

Next I checked IPsec, but I have only PSK connections.

L2TP was never used and is disabled.

Then I tried to export the whole config and went through the "Entities.xml" file - and found no traces of that certificate name, just the certificate itself.

What else can I check?



This thread was automatically locked due to age.
  • 0

    Try; community.sophos.com/.../localize-an-object-to-delete-it-in-sfos

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Thx, but as I have written above this was already tried.

    I guess its something wrong in the database.

  • 0 in reply to EdmundSackbauer

    Could you check the csc.log and applog.log and try to delete the file? Maybe its there logged. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    csc.log shows the error during deletion:

    MESSAGE   Oct 30 17:23:50Z  [worker:20561]: {"request":{"method":"opcode","name":"delete_certificate","version":"1.6","type":"json","length":404,"data":{ "___serverport": 4444, "___username": "admin", "currentlyloggedinuserip": "10.0.0.2", "certids": [ "collabora" ], "Entity": "certificate", "___component": "GUI", "___serverip": "10.0.0.254", "___serverprotocol": "HTTP", "mode": 310, "___cmenabled": 0, "APIVersion": "1900.1", "transactionid": "2839", "___cmrequest": 0, "___meta": { "sessionType": 1 }, "currentlyloggedinuserid": 3, "Event": "DELETE" }}}
    ERROR     Oct 30 17:23:50Z  [delete_certificate:20561]: get_query_status: DB has returned error code: 23503
    ERROR     Oct 30 17:23:50Z  [delete_certificate:20561]: get_query_status:Query Error: ERROR:  update or delete on table "tblvpncertificate" violates foreign key constraint "tblvpncertificatesubaltname_certid_fkey" on table "tblvpncertificatesubaltname"
    DETAIL:  Key (certid)=(12) is still referenced from table "tblvpncertificatesubaltname".
    CRITICAL  Oct 30 17:23:50Z  [delete_certificate:20561]: csc_prep_query: execute_prepare_query failed for Execute Query.
    ERROR     Oct 30 17:23:50Z  [delete_certificate:20561]: do_prep_query: Failed PREPSTMT: 'delete from tblvpncertificate where certid=?'
    ERROR     Oct 30 17:23:50Z  [delete_certificate:20561]: get_query_status: DB has returned error code: 25P02
    ERROR     Oct 30 17:23:50Z  [delete_certificate:20561]: get_query_status:Query Error: ERROR:  current transaction is aborted, commands ignored until end of transaction block
    ERROR     Oct 30 17:23:50Z  [delete_certificate:20561]: csc_prep_query: execute_prepare_query failed for SELECT txid_current().

     PAckage ::::cscvalidation/system/CertCertificate.pl

    Ok I got around it with deleting the references of certid=12 in the tblvpn* tables as indicated with the error messages.
    After the last delete from tblvpnsscertdetail I could delete the certificate from the GUI.

  • 0 in reply to EdmundSackbauer

    Could be related to the recent issue with the CAs. There were some user with upgrade issues because of the CAs. This is V19.0 MR1? 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Yes 19.0 MR1. There were no issues with the CAs in my case.

Unfiltered HTML