Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 10 replies
  • Answers 2 answers
  • Subscribers 29 subscribers
  • Views 24871 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unable to edit Default CA

JoshuaLevine

Hello,

I have been trying for a few hours now to figure out a way to successfully edit the Default CA properties so I am able to generate self-signed certificates. I have tried this on multiple machines, using multiple browsers, on multiple operating systems. When I use the web front-end via SETTINGS -> VPN -> CERTIFICATE AUTHORITY. I click on DEFAULT and fill in all associated values. Clicking save results in the following error:

Certificate Authority details could not be updated or certificates could not be regenerated

applog.log has the following from /var/tslog

:: CRITICAL WARNING :: Transaction will not be rollback for the opcode generate_certificate_authority, If any operation fails, is request a part of multiple request :
Jan 30 18:07:04 cacertbean has country
Jan 30 18:07:04 in undef 

What can I do to successfully edit the Default CA?



This thread was automatically locked due to age.
Parents
  • 0

    Hi JoshuaLevine, 

    Was the firmware upgraded from V15 to V16 ?

    If that is the case, I would recommend you to regenerate the certificate or change the existing certificate contents under Certificates> Authorities. 

  • 0 in reply to Aditya Patel

    Thank you! I already tried that, even regenerated the SSL CA, but I still can't update the Default CA. I've opened a ticket on it as well.

  • 0 in reply to SWAPA Infosys

    I have seen this issue several times from other users. You can enforce the CA re-generation by going to Certificates > CA > Default CA > Pencil Icon > change one field (for example State) > Apply. Now that the CA has been re-generated, go to Certificate > Certificates > Appliance Certificate > Gear icon > regenerate.

    Regards

  • 0 in reply to lferrara

    I can't edit ANY properties at all, that's the proble :(

  • 0 in reply to SWAPA Infosys

    Uhm...so everything is greyed out?

    Can you share some screenshots/video?

    Thanks

  • 0 in reply to lferrara

    Well, it's not greyed out. I can type everything in there (the entire listing is blank when I open it), but when I save it, I get the error below. 

    In addition, I see some events popping up in logs that I thought worth mentioning:

    CSC.log reports:

    PAckage ::::system::selfsignedcertificateauthorityError---------> Logical Function not found

    ^^^This seems to suggest that the path to the function for saving the values may not be part of the default path, or something. Seems odd in specialized firewall firmware though.

     

    Applog.log reports:

    Jul 12 16:11:08 apiInterface:versionsupported: true.
    Jul 12 16:11:08 apiInterface:request mode -> 357.
    Jul 12 16:11:08 apiInterface:Current ver :::'1605.1'
    Jul 12 16:11:08 apiInterface:entityjson::::::::system::selfsignedcertificateauthority=HASH(REDACTED)
    Jul 12 16:11:08 CRITICAL WARNING :: Transaction will not be rolled back for opcode generate_certificate_authority. If any operation fails, request is part of multiple request :
    Jul 12 16:11:08 cacertbean has country
    Jul 12 16:11:08 in undef

    ^^^All I really got from this was that it is supported and recognizes the version properly. I'm just hoping the CRITICAL WARNING helps provide some context for those better educated than I on this product.

     

    I've tried regenerating the certificate, that works. I've also regenerated the CA SecurityAppliance_SSL_CA just in case that was tripping it up. I also can't modify the general VPN settings under Configure>VPN; it throws no error, just fails. That is generally resolved by a minor change (as you suggested) to the default listing, which is how I found that I can't edit any values.

     

    Thank you!

Reply
  • 0 in reply to lferrara

    Well, it's not greyed out. I can type everything in there (the entire listing is blank when I open it), but when I save it, I get the error below. 

    In addition, I see some events popping up in logs that I thought worth mentioning:

    CSC.log reports:

    PAckage ::::system::selfsignedcertificateauthorityError---------> Logical Function not found

    ^^^This seems to suggest that the path to the function for saving the values may not be part of the default path, or something. Seems odd in specialized firewall firmware though.

     

    Applog.log reports:

    Jul 12 16:11:08 apiInterface:versionsupported: true.
    Jul 12 16:11:08 apiInterface:request mode -> 357.
    Jul 12 16:11:08 apiInterface:Current ver :::'1605.1'
    Jul 12 16:11:08 apiInterface:entityjson::::::::system::selfsignedcertificateauthority=HASH(REDACTED)
    Jul 12 16:11:08 CRITICAL WARNING :: Transaction will not be rolled back for opcode generate_certificate_authority. If any operation fails, request is part of multiple request :
    Jul 12 16:11:08 cacertbean has country
    Jul 12 16:11:08 in undef

    ^^^All I really got from this was that it is supported and recognizes the version properly. I'm just hoping the CRITICAL WARNING helps provide some context for those better educated than I on this product.

     

    I've tried regenerating the certificate, that works. I've also regenerated the CA SecurityAppliance_SSL_CA just in case that was tripping it up. I also can't modify the general VPN settings under Configure>VPN; it throws no error, just fails. That is generally resolved by a minor change (as you suggested) to the default listing, which is how I found that I can't edit any values.

     

    Thank you!

Children
No Data