Sophos XG - SSL certificate warning when accessing login for web interface

Hi Markus,

Go to Certificate > Certificate authorities > Download the "Default" certificate, this will be used to sign the request while access the UI on port 4444.

Thanks

Hi Sachin,

I already tried to download the certificate from the firewall (Protection > Web Server Protection > Certificate Authority => SecurityAppliance_SSL_CA) and

install it under Chrome - Settings - HTTPS/SSL - Manage Certificates... - Trusted Root Certificate Authorities,

but the message did still show up :-/

Any idea?

Cheers,

Markus

You need to download and install the Default CA, the SSL_CA is used during the HTTPS scans. 

Thanks,

I restarted the WebProxy and cleared the browser cache - did not solve the problem.

I even downloaded the certificates from within Chrome (red arrows) and installed them in the Trusted Root.

First try was: Objects > Identity > Certificate Authority -> downloaded SecurityAppliance_SSL_CA

Any other ideas?

Thanks for your patience :-)

Cheers,

Markus

I have heard of a relevant issue which is caused due to the Default CA not having the common name field populated. I think this might be associated. If that doesn't help, creating a self signed certificate could, I haven't tried generating one yet, if you do please update us if it works.

Hi Sachin,

maybe it is not meant to work...

I did as you asked me to:

- regenerated the certificate and downloaded it

- deleted all old Sophos SSL certificates out of my Trusted Root CA in my browser

- installed the newly generated one via mmc (computer account)

I get almost the same error again :-/

The cert is in the Trusted Root CA! :-/

Downloaded this (SecurityAppliance):

Installed here:

I fear that it is a problem with the Chrome browser (https://security.googleblog.com/2014/09/gradually-sunsetting-sha-1.html).

What do you think?

Thanks for keeping up the good work.

Cheers,

Markus

Edited

Nope,

I do get the same problem with the Internet Explorer, too.

This happens whenever I try to log in the firewall web interface: https://firewall-ip-address:4444

Wish there was a solution to this :-/

You aren't alone I spent some time trying to figure this out before giving up.

Hi charlesbruch,

thank you for cheering me up :-p

I think there has to be a solution to this!

Maybe Sophos has to add an option to replace the certificate with your own that meets the requirements :-D

Hey Sachin, please tell us there is a solution to this :-)

Hi..

The above process is required but you omitted the last step which is to change the inspecting authority to default instead of appliance certificate:

Hi Darren,

thanks for trying to help, but your hint is relevant regarding normal internet traffic.

We were talking about reaching the web admin of the firewall and all the browsers telling that the cert of the firewall is not safe.

Have a good day and cheers,

Markus

Hi Darren,

thanks for trying to help, but your hint is relevant regarding normal internet traffic.

We were talking about reaching the web admin of the firewall and all the browsers telling that the cert of the firewall is not safe.

Have a good day and cheers,

Markus

Hi Markus,

That is correct, because it is a self signed certificate from an untrusted CA (your firewall). 

If you have a trusted certificate already, you can import the CA in XG and generate CSR, sign it with your CA server and upload it on the firewall, from there onwards, the cert will be trusted.

Regards,

HI All, 

The certificate error you have received is due to Appliance certificate and would get the certificate error. This certificate won't make a difference even if its installed on the client machine. The Certificate issue can be resolved if you import your own certificate and use that certificate in Appliance Access also should be accessed via DNS instead of Host address. 

Excuse my lack of familiarity here but could I simply import one of the Microsoft Root Certificates in the picture?

If not, is there a private certificate to be easily used on a standard Windows 10 installation?

Thanks

 This thread is confusing the Certificate Authority - which is typically used for HTTPS man-in-the-middle decryption of proxied, with the appliance's own Certificate.

From what I understand, the poster is asking about the certificate that is used when you access WebAdmin at :4444.

First, go to Web \ Protection and make sure the HTTPS Scanning Certificate Authority is SecurityAppliance_SSL_CA.  This is the out-of-the-box value and if you changed it, put it back.

Now go to Certificate, Certificate Authorities.

The "SecurityApplicance_SSL_CA" is the Certificate Authority which will sign all the HTTPS traffic that the Web Proxy does.  Download and Install it all all end user clients that will proxying through the SFOS to far websites.

The "Default" is the Certificate Authority that will sign the HTTPS port :4444 on the appliance itself.  Download and Install it on any client that will access WebAdmin.

Note: If you uploaded or regenerated any CA, please do this extra step.  Under Certificates \ Certificates, there should be ApplicanceCertificate.  If you click the gear you can regenerate the certificate using the current default CA.

Now when you access WebAdmin, it will be using a certificate generated from the CA that you have installed.

However - and this is a known issue, the certificate will still not be valid.  This is not because of Certificate Authority, but because certificate that the SFOS generates will not have CN (common name) that matches the hostname.  This is in part because hostname is something that was added as recently a v16 (strange, I don't understand how Cyberroam UTM and the early SFOS could not have a hostname).

For FF, when they warn you about the invalid certificate, in the pop-up you are given the option to permanantly store this exception.
For IE, go into Options, Security tab and add the site to Trusted sites.
For Chrome, it uses the IE setting.  The navigation though settings is more complicated, just do it in IE.

That all being said -- you can just skip the CA stuff and add the exception/trust and I think that will work.

Hi Dean,

We now have an official kb for this :
https://community.sophos.com/kb/en-us/127287

-> A self - signed certificate is required which issues certificate to IP address of XG . We need this self - signed certificate because the default appliance Certificate is issued to SophosApplianceCertificate_Appliance Key. If we will use the appliance certificate instead of creating the self signed certificate , browser will throw certificate error as the URL requested (IP address in our case ) and certificate issued to  SophosApplianceCertificate_Appliance Key ) are different.

-> Download and extract the created self signed certificate and import the Root CA from the bundle in the Trusted root authority of the system's mmc  using kb link
https://community.sophos.com/kb/en-us/123048.

The reason for downloading Root CA in the trusted root authority is because when we generate self-signed certificate the issuer of the certificate i.e. CA is the Default CA of Sophos and not SecurityAppliance_SSL_CA . Usually we have confusion that we have already imported Sophos SSL_CA in the trusted root authority then why are we getting certificate error. The reason being we have imported the Sophos SSL_CA in the trusted root authority and not Default CA . Sophos SSL_CA issues certificate for all web traffic of HTTPS for deep packet inspection . However , for the self signed certificate the issuer CA is Default CA and not Sophos SSL_CA.

-> Also, in Administration > Admin Settings > Port Settings for Admin Console > Certificate > Self Signed Certificate . The reason behind this is that when request for https://<ip address :4444> i.e web admin console hits XG , the device presents self signed certificate and not Appliance Certificate to avoid Certificate error.

Great - when I try to add a self-signed cert, the XG greys out that option.  The help is no help and I can't find this issue treated elsewhere here.

Cheers - Bob

Hey BAlfson

Sorry to hear about this issue, did you follow the steps outlined in this KB?

Please let me know if you run into any further issues.

Regards,

BAlfson said:

Great - when I try to add a self-signed cert, the XG greys out that option.  The help is no help and I can't find this issue treated elsewhere here.

Hi Bob,

I'm not entirely sure what you mean (screenshots help) but I'll take a stab at the problem.  And you should know better than to thread hijack.  :) :)

In order to sign things with that certificate, the XG also need to have the chain of certificate authorities.

Often a company already has a private root certificate authority and they have used it to create certificates for different internal servers.  You can use it to create a certificate for the XG well, but you will need to import both the CA and the Cert.

When you want to use a your private CA for HTTPS scanning, many companies don't want the XG to sign with their private root CA.  So you use the root CA to create an intermediate CA, add them both to the XG, and use the intermediate CA for HTTPS scanning.

PFX is supposed to solve this by including the certificate chain.  But there may be a problem with it.

IIRC related is a column in the UI for certificates called "CA" about whether the UI can see you have all parts of the cert chain.

A fresh install.  Only the 'ApplianceCertificate' is in place as is 'SecurityAppliance_SSL_CA'.

Cheers - Bob

Never seen that before.  I don't know if many people use that functionality.

When you do that, it should generate a certificate using the Certificate Authority named "Default".

Potentially if that CA is messed up somehow (shouldn't be on a fresh install) I could see that you wouldn't be able to generate a self-signed cert.  My fresh install works.

Its not my team's functionality so I don't know much about it, sorry.

Raise a support ticket.