Sophos XG home Web GUI access - SSL/certificate issues under OS X 10.13

Question

Dear All

I recently upgraded my MacBooks to OS X 10.13. Since I do not connect to my XG every day (or even week), I am not absolutely sure, if the issues at hand are related to OS X 10.13.

Safari now reports: This connection is not private

The Sophos_CA_<hostname> root certificate is shown as not trustworthy (although set accordingly in the keychain)
The SophosApplianceCertificate_<hostname> is shown as invalid (hostname does not match)
--> I cannot connect via Safari

I can connect with Google Chrome but HTTPS is strikes through.

I regenerated the certificates in XG.

What I found during my research is that OS X 10.13 now does not accept SHA-1 finger prints anymore. When I check the certificates stored in keychain, I can see SHA-256 and SHA-1 finger prints in the Sophos XG certificate. Does that eventually cause problems or am I on the wrong track?

Thank you, Patric

This thread was automatically locked due to age.

StephaneBriere · Accepted Answer

I've have been able to find out the culprit for me. 
 it was the web filtering protection of Sophos Home antivirus that is only efficient with Safari. Firefox & Google Chrome aren't affected. 
 If you don't have a security software, you could try to remove the Sophos UTM/XG certificate in the keychain and try to had it back. 
 Hope it could help. 
 Stephane

shred · Answer

I'm having this same issue. Suddenly today I can no longer access the Sophos XG web GUI from Safari. I get the "This Connection is Not Private" error. Even if I click the "visit this website" link to bypass the warning, it simply goes back to the same "This Connection is Not Private" error. When I click "view the certificate", it's showing the same one it always has which is manually set to trusted by me (SophosApplianceCertificate). 
 I haven't updated my computer or Sophos XG, so I'm not sure why this suddenly started occurring. I was able to access the page last night without any issues. I can, however, access the web GUI using Chrome although I still get a warning page. 
 
 Edit: Apparently this is only on my iMac. I am able to access the web GUI just fine with my MacBook Air. I tried deleting and reimporting the Sophos certificate on my iMac but still the same issue. Both the iMac and MacBook Air have the same exact Sophos certificate, so I'm not sure what's going on. 
 Edit 2: Turns out it was Sophos Home (antivirus) that was causing the issue. I recently installed Sophos Home on my computers and forgot I had to add the IP address for the Sophos XG web GUI to the Sophos Home exceptions list. I only added it to my MacBook Air and not my iMac but after adding it to my iMac, everything works fine. The weird part is prior to doing this, Safari would show a valid certificate that is marked as 'Trusted' but still keep redirecting me back to the "This Connection is Not Private" page. Every time I would click "visit this website", it would prompt me to enter my keychain password and the process would just repeat. Each time I was doing that, it was adding another Sophos certificate to my keychain but still not letting me access the Sophos XG web GUI. Gotta love when products from the same company aren't working together. ;)