Decrypt and Scan HTTPS invalidates HTTPS certificates

Hello,

Thank you for the great explanations on the issue.

I currently have the Decrypt and scan HTTPS turned off. I go to Google's web site and still get the

'NET::ERR_CERT_AUTHORITY_INVALID'. Error?

I am using the VMware virtual configuration on ESXi 5.5. I have configured a Netgear router ao the same IP subnet as the Xg on 172.16.16.16.

That way I can quickly flip back and forth to test and get back to normal Internet access.

I do want to use this feature in time, but right now I am trying to get the XG just up and running normally, and then work on enabling more features and security.

If I have Decrypt and scan HTTPS turned off, why would I still get the error or issue?

I have been a Astaro ver.7 through UTM ver 9 user, so the XG is / has a bit of a steep learning curve for me. Learning to ride the bike all over again of sorts.

I had issues with my UTM, and the old CPU up and died on me so I decided to bite the bullet and start over on XG. Love the features.

When I switch back to XG I will look into trying to download that cert as suggested in one of the post.

Right now I am looking for a simple quick and easy fix so I no longer get the 'NET::ERR_CERT_AUTHORITY_INVALID'. Error.

Any specific settings to post in a update post to this, if it helps to figure out what I have set or not set correct or need to turn off or on or additional rule? My XG is very close to a basic default install with one default firewall rule.

Sincerely,

Chad

Chad, if you are still getting an invalid certificate, then HTTPS Decrypt and Scan is *NOT* turned off or, by, some magic, your browser is still using the same session it did previously and thus getting the error.  Double check all the rules, make sure D&S is unchecked, close your browser window, re-open, and try again.  Worst case, reboot the Sophos box.  Should not be necessary, but hey, stranger things have happened.

Also - do this - check the certificate that you are getting - Make sure it is still the XG's certificate.... The certificate should say it is issued by Sophos SSL CA_xxxxxxxx or SophosCA_xxxxxxxxx.  Honestly I can't remember which is the default, it has been so long since I used it. (We use a custom CA issued by our enterprise PKI). Only reason I suggest that is to make sure we are indeed dealing with the Sophos HTTPS D&S and not some other software.  Again - stranger things...

Hello,

I did another factory reset and it is off and not getting the issue. When I do decide to enable it, Looks like I will need to add the XG local certificate to all my machines / browsers.

I am on call from work this week so not really making any changes or enabling any more features or rules to XG right now, but Monday the 26th of Dec. I will start to enable more features and functions. Thank you for the information.

Chad

Hello,

I did another factory reset and it is off and not getting the issue. When I do decide to enable it, Looks like I will need to add the XG local certificate to all my machines / browsers.

I am on call from work this week so not really making any changes or enabling any more features or rules to XG right now, but Monday the 26th of Dec. I will start to enable more features and functions. Thank you for the information.

Chad